Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

03f37b7e3e...34.exe

windows7-x64

8

03f37b7e3e...34.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03f37b7e3e52e10b63f67ea217130f34.exe

  • Size

    39KB

  • MD5

    03f37b7e3e52e10b63f67ea217130f34

  • SHA1

    a98967f9160270844c869227b1ba9ac8c23ad893

  • SHA256

    8981c157e64e92085adf91be032b36d9780bb5f2b10c13e75cc6ae4acb4b0035

  • SHA512

    32697c9c535ff5a18b0c22f89ec8611f8bbfbbebfc61f7c19bfecd4cc28bb9261acb51f434ce775e7e7e9f88346ce87e854b7ac18f58db5e3434b1a416699c43

  • SSDEEP

    768:lyLH7TlCuqtXF5rg1QAmdDUJKfz/XZ/ABI0MMNtjqTpifw5o:l8lCuWXbrnfdAUXZ/AiWLqTpifN

Score
8/10
persistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03f37b7e3e52e10b63f67ea217130f34.exe
    "C:\Users\Admin\AppData\Local\Temp\03f37b7e3e52e10b63f67ea217130f34.exe"
    1⤵
    • Adds policy Run key to start application
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
          PID:3016
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
            PID:2640
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          2⤵
          • Launches sc.exe
          PID:2416
        • C:\Users\Admin\AppData\Local\Temp\zly0i.exe
          C:\Users\Admin\AppData\Local\Temp\zly0i.exe
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\SysWOW64\sc.exe
            sc config SharedAccess start= DISABLED
            3⤵
            • Launches sc.exe
            PID:2876
          • C:\Windows\SysWOW64\net.exe
            net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2548
          • C:\Windows\SysWOW64\sc.exe
            sc config wscsvc start= DISABLED
            3⤵
            • Launches sc.exe
            PID:3012
          • C:\Windows\SysWOW64\net.exe
            net.exe stop "Security Center"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2296
          • C:\Users\Admin\AppData\Local\Temp\zly0i.exe
            C:\Users\Admin\AppData\Local\Temp\zly0i.exe -dFFEC17FDEB2C4B940AFBE0C7105495903AAF6012A6F4DC048EE82553489059332B565975D2BC8DA45931AC047E38D727CF028F324D394658305BA30EA913AC02D59D71C2484FF41DCDC15B27539BB55122D9D29CC85906FD5EF6CAA31CE595E94E1D6B67253EF36D06C80A6238FF326525E857638EC2B2F65B7FD897ED983889282E963184C64092E6D5154516D2951A09D38A885B581E50A62A493CA37FFB2E32577D04BCD8D0CE8CEC1B4016B761CC3E4619A6253260A7000ADA5E074482557EFCEDFA6722D8255C2DF860A1315D0E76C8EFBB261DCBB06C888AF12296B4585EE1F50A5DE8CD7EF40BC9585F9A8DCAA2943B10D85EF7332A8693143FC5B3E6628DE04AB83364CC37D9EBD13B7136F3F26C6953F3C2B62CBAF97526E453E7C85A043DC4D1EE92AE457FFB845D42DD37D71F2790700F1F0ADEABEA6BDCA5F3B4597DD65041988B5E7F5DD5592DDD485C043E6009880787A0974AF26F3011BD22AFCFBBF1E0B9C6688769980F56A47A0567B24322B5CC82E0267CC7A128B9698FEDAD38DBC891F6093D44A03AC031BA00342E3C79AE53E5630C89E94A4D5A5D48
            3⤵
            • Executes dropped EXE
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2236
            • C:\Windows\SysWOW64\sc.exe
              sc config wscsvc start= DISABLED
              4⤵
              • Launches sc.exe
              PID:1692
            • C:\Windows\SysWOW64\sc.exe
              sc config SharedAccess start= DISABLED
              4⤵
              • Launches sc.exe
              PID:528
            • C:\Windows\SysWOW64\net.exe
              net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
              4⤵
                PID:2244
              • C:\Windows\SysWOW64\net.exe
                net.exe stop "Security Center"
                4⤵
                  PID:2484
              • C:\Users\Admin\AppData\Local\Temp\zly0i.exe
                C:\Users\Admin\AppData\Local\Temp\zly0i.exe -d2E3D0CE665A22AF55EAF6F48A3E780856BFE592BF4A6A37B0167D3A50CD4056F1F62F3DF7D1382AB7911AE063573DE2E1BD6EE53483C6E704E25E449EF5515BBBFF7A013D1D6729BDED2DFA3824A58BF857E24774ADB7F78DA730A6E27DF79017626D8C71535E77CC77856338C5AEC8AB20EDFFA4B05E2DB7D52B8F354254CF6EDEBA017387A0CCBABE8A8FC9440D659EC074547DC21E5B751C1A4D557B8ED360C643D426B0A507B4519ABE51BBE940DBCD2BB16CEED15A0AF54C3425266F72FFE8B3521206B5FB58D0D73F6E263E3B3EA47E5AD327E3EBF30D249C8A517499E2BE94BB608BA2795BC4356C6E92CBFF97F46A9BC59296FDBAC07AD3EF11FFEA63BDF862B1385D3624CA7E8D9723965DBC56D2C64D5C8F36F3D08A3E917B0755D19452AC3734ED2E0F4C9FE95FEF553B4449FD26E7519584D3B4E1F9E39404A0DECC8BC3A9841D005AF8DAE224EBE4652C6FC41284CC36A4D419C57CAB89959C61E7E014B346DBB15B55B4CDB63913A4553865D3CA9D0385A267CC1A733A2C1275919FE1D3861BE797F486E3C7E886CC335284D481F250D3703C8108C8D97
                3⤵
                • Executes dropped EXE
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:300
                • C:\Windows\SysWOW64\net.exe
                  net.exe stop "Security Center"
                  4⤵
                    PID:2404
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Security Center"
                      5⤵
                        PID:2284
                    • C:\Windows\SysWOW64\sc.exe
                      sc config wscsvc start= DISABLED
                      4⤵
                      • Launches sc.exe
                      PID:1180
                    • C:\Windows\SysWOW64\sc.exe
                      sc config SharedAccess start= DISABLED
                      4⤵
                      • Launches sc.exe
                      PID:1524
                    • C:\Windows\SysWOW64\net.exe
                      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
                      4⤵
                        PID:1644
                  • C:\Windows\SysWOW64\sc.exe
                    sc config wscsvc start= DISABLED
                    2⤵
                    • Launches sc.exe
                    PID:2800
                  • C:\Windows\SysWOW64\Rundll32.exe
                    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
                    2⤵
                    • Adds Run key to start application
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1080
                    • C:\Windows\SysWOW64\runonce.exe
                      "C:\Windows\system32\runonce.exe" -r
                      3⤵
                      • Checks processor information in registry
                      PID:1816
                      • C:\Windows\SysWOW64\grpconv.exe
                        "C:\Windows\System32\grpconv.exe" -o
                        4⤵
                          PID:1344
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c C:\Users\Admin\AppData\Local\Temp\zr5ys29xx.bat
                      2⤵
                      • Deletes itself
                      PID:1636
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                    1⤵
                      PID:2128
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "Security Center"
                      1⤵
                        PID:3028
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "Security Center"
                        1⤵
                          PID:576
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                          1⤵
                            PID:1120
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
                            1⤵
                              PID:1312

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
                              Filesize

                              413B

                              MD5

                              ce1f2d7c8e36f3c085a5d281b9ebeb2f

                              SHA1

                              bbbfae948d625afe50f66f34282bda3974cfdce5

                              SHA256

                              312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c

                              SHA512

                              89f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\zly0i.exe
                              Filesize

                              17KB

                              MD5

                              74b73a9e5d6d0165a923de290ed5cbb6

                              SHA1

                              8ec066a1102b483b1a1e5b73e3cb7fe5fb8f413b

                              SHA256

                              0372805efdc487797266eb10e141b00ec56df20c3011cb32b9a8e05801a1d387

                              SHA512

                              34f3ebb4453a8120198c75df5f72d1f5a19589730aeda8eed5d09a909f66611ca7dc7dbbd9f47202fe8d05d42164c3b99ea2d6b2e4fab268593fd19d6cc19648

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\zr5ys29xx.bat
                              Filesize

                              190B

                              MD5

                              06a64df409ba42664fa09605c8398dc6

                              SHA1

                              a69aa15d4be29366d136a9e363b269988e21945b

                              SHA256

                              b6176f45a01338eacaa8fe923ba6c53ccdd7013cf4921b17814e3e43b6d61592

                              SHA512

                              115927c40b240588bed1859600a64612c32819dd97e84ed8526da2c6b4d6ac78043897679395f15dbb2cf4adffbea730f6d5228e711d50f96459c5343a2ce23a

                              Download Submit

                            • \Users\Admin\AppData\Local\Temp\zly0i.exe
                              Filesize

                              13KB

                              MD5

                              efe1f67fd0258ec21fe22d01781f9912

                              SHA1

                              0597ac0ad1ba33d3281148012cc3c34541683cec

                              SHA256

                              977684e4f39b5b1719b335d8586468b3066efc9e27935ccfacccc4f72065b7cc

                              SHA512

                              52b6802e753446a29793ddce4aadab6b95f598bcd69cada699191ad2c026d9e3d601b112004334357973934874ac7bbc6e75212b9dad8681f17fc90469b1c286

                              Download Submit

                            • \Users\Admin\AppData\Local\Temp\zly0i.exe
                              Filesize

                              39KB

                              MD5

                              03f37b7e3e52e10b63f67ea217130f34

                              SHA1

                              a98967f9160270844c869227b1ba9ac8c23ad893

                              SHA256

                              8981c157e64e92085adf91be032b36d9780bb5f2b10c13e75cc6ae4acb4b0035

                              SHA512

                              32697c9c535ff5a18b0c22f89ec8611f8bbfbbebfc61f7c19bfecd4cc28bb9261acb51f434ce775e7e7e9f88346ce87e854b7ac18f58db5e3434b1a416699c43

                              Download Submit

                            • memory/300-69-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/300-63-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/300-61-0x0000000003480000-0x00000000044E2000-memory.dmp

                              Filesize

                              16.4MB

                              Download

                            • memory/2236-27-0x00000000034F0000-0x0000000004552000-memory.dmp

                              Filesize

                              16.4MB

                              Download

                            • memory/2236-30-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2236-41-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2236-47-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2536-13-0x0000000002790000-0x00000000027B5000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2536-7-0x0000000002790000-0x00000000027B5000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2536-28-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2536-0-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2536-3-0x0000000003630000-0x0000000004692000-memory.dmp

                              Filesize

                              16.4MB

                              Download

                            • memory/2536-38-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2760-29-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2760-50-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2760-20-0x00000000033D0000-0x0000000004432000-memory.dmp

                              Filesize

                              16.4MB

                              Download

                            • memory/2760-67-0x0000000002A60000-0x0000000002A85000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2760-14-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download

                            • memory/2760-74-0x0000000000400000-0x0000000000425000-memory.dmp

                              Filesize

                              148KB

                              Download