Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

0d5cd0cb28...76.exe

windows7-x64

10

0d5cd0cb28...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    193s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 03:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d5cd0cb28a6da2bf6c2de5166ee9d76.exe

  • Size

    391KB

  • MD5

    0d5cd0cb28a6da2bf6c2de5166ee9d76

  • SHA1

    f7008a4c1ac1b27590ee56655c18f6f3f1fc1ff2

  • SHA256

    8fcd842d46ad70bf72148e7a5d9d587566f91164279f32ae78670199e980a5e3

  • SHA512

    2016e5f87aa76d5aa4dedb08b10d7f3b4522612871c692697a858392d3343cb4132b8fc2f38bf78871f2f48ff032502d0aa07eb059f3ea11459277bac4c8058e

  • SSDEEP

    6144:lqq1+wa/QKgZ+K1J/4Thmd3Wc11KxEpBnXLz+k4O7Cp/LJz8Eb:YkkQKgD1uThmdmU1KxEpRLyw7et4Eb

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d5cd0cb28a6da2bf6c2de5166ee9d76.exe
    "C:\Users\Admin\AppData\Local\Temp\0d5cd0cb28a6da2bf6c2de5166ee9d76.exe"
    1⤵
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2264
    • C:\ProgramData\MgKPyEORiQUvGj.exe
      C:\ProgramData\MgKPyEORiQUvGj.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Users\Admin\*.*" /s /d
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MgKPyEORiQUvGj.exe
    Filesize

    391KB

    MD5

    0d5cd0cb28a6da2bf6c2de5166ee9d76

    SHA1

    f7008a4c1ac1b27590ee56655c18f6f3f1fc1ff2

    SHA256

    8fcd842d46ad70bf72148e7a5d9d587566f91164279f32ae78670199e980a5e3

    SHA512

    2016e5f87aa76d5aa4dedb08b10d7f3b4522612871c692697a858392d3343cb4132b8fc2f38bf78871f2f48ff032502d0aa07eb059f3ea11459277bac4c8058e

    Download Submit

  • memory/552-7-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/552-9-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/552-20-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/552-25-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/552-26-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2264-0-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2264-1-0x0000000000620000-0x0000000000621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2264-2-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2264-8-0x0000000000400000-0x000000000047A000-memory.dmp

    Filesize

    488KB

    Download