Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

0dbf4a53a7...ef.exe

windows7-x64

8

0dbf4a53a7...ef.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 04:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0dbf4a53a709516a9c1c362fd727b7ef.exe

  • Size

    649KB

  • MD5

    0dbf4a53a709516a9c1c362fd727b7ef

  • SHA1

    bdc9a44903c006b3b86797e715f46d3930365e79

  • SHA256

    2be652d5bf6494a329b2a1087b7c8d27030c974d69a115924466a217d5cee517

  • SHA512

    1a5c010df670ce162c574616c9a7a9309e09d3efbedf3a7846c9420a7dbb8c59a375348828cc16b93b9fbf4e88db401dd37ea322a1b57f71d2fbbcd98ed4486e

  • SSDEEP

    12288:gREX7F/rNTTCY1ZfFZueHVtxnW7xRypQLR2+huboz:gRO7lP1ZdfH9wRcQLR2bUz

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dbf4a53a709516a9c1c362fd727b7ef.exe
    "C:\Users\Admin\AppData\Local\Temp\0dbf4a53a709516a9c1c362fd727b7ef.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\inf\svchoct.exe
      "C:\Windows\system32\inf\svchoct.exe" C:\Windows\wftadfi16_080930a.dll tan16d
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\myls3tecj.bat"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\myls3tecj.bat"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\system\sgcxcxxaspf080930.exe
          "C:\Windows\system\sgcxcxxaspf080930.exe" i
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
            5⤵
            • Modifies Internet Explorer settings
            PID:108
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:108 CREDAT:275457 /prefetch:2
              6⤵
                PID:1308
    • C:\Windows\system\sgcxcxxaspf080930.exe
      "C:\Windows\system\sgcxcxxaspf080930.exe" i
      1⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      c59659fccc16dbc1a0f13751384cfe26

      SHA1

      208b4c35b4c758addb12e6bdb099e127389a032a

      SHA256

      ce42b3db0885dba0ad1c8331943aff5a34aa3dfa94b8d87f0cb61e506cf673e3

      SHA512

      98a04b9d7fb8f9bf9c11b629d9db685a12dd10421ab0ecc9c4d61662614c5964adbf257e084b6b65e067274e0bc2abd14eaa1477636ad404381acb3961fb3a58

      Download Submit

    • C:\Windows\system\sgcxcxxaspf080930.exe
      Filesize

      649KB

      MD5

      0dbf4a53a709516a9c1c362fd727b7ef

      SHA1

      bdc9a44903c006b3b86797e715f46d3930365e79

      SHA256

      2be652d5bf6494a329b2a1087b7c8d27030c974d69a115924466a217d5cee517

      SHA512

      1a5c010df670ce162c574616c9a7a9309e09d3efbedf3a7846c9420a7dbb8c59a375348828cc16b93b9fbf4e88db401dd37ea322a1b57f71d2fbbcd98ed4486e

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      61B

      MD5

      927d810ed85ae51acd034172f6745148

      SHA1

      98064b5b0cf4f5118312690abb28f20b35dc8c60

      SHA256

      acc387ef5a53e20850cbe01cd7ab7f6e7ee2033aa42789ee08d0082571354361

      SHA512

      adc4200a3d4f1404be2105b65b8a26b15369bad8b298d95decddd28a61be428e80495400c43966a86244b518a0258f15eed4d6530a25e555d514363c7517cb06

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      427B

      MD5

      4c63fda7968d68e6b8de970c18b473fe

      SHA1

      4ef9f3af94dd4ebfc8e8436ab6ab8ad187eced39

      SHA256

      9210246c7f0a2f01fe698b9c123428c6c55990e8bf8be9ea8ff7c2052fa58aac

      SHA512

      1c575e199af8eef5747b908b133aad0f67f6ee0c00ea76055a2afbe9a44152e718efc04b196c081d65c1c578a9bee191ec59cbaaa813e82633198cfcae810c2a

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      460B

      MD5

      f0347fb28ea1f4a7e1eb6ec9551019d0

      SHA1

      4ad3cfefc77710b83dde84394df28cd27ddf9052

      SHA256

      fd13671e9b50bf4cfd7c44652ee3b13e4ddb466ae3caf2581a1b2883dfaf3ff4

      SHA512

      8944a9ac00390d69ab61d65a4dbebbbc5de6ae4767cfe42081c9c202c52c24e6d2abbf6264f8bdd1cee235bdad686d3dc70850c61ee3ece340daff9019d6a23a

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      487B

      MD5

      a933dae74401cbb9166b7fdc59ccc5de

      SHA1

      ef1ee10681ca603a7be16303de182b2c573dba83

      SHA256

      cc3b06bfae8da37e06b021948181038111c1ee72059c8a1e08c63e8d81e62ab2

      SHA512

      2d757f2b7e9c60614e8aeab64973245a98bf9dd2a6392f7a67187113841302b18a6a64f40ed7195fbcfc54874f6ed1460cca29b1bb520d9cee970d4f37296e95

      Download Submit

    • \??\c:\myls3tecj.bat
      Filesize

      53B

      MD5

      5f3cd89461f7fb82092309fee54d928a

      SHA1

      208ddb61cd3b5b9cab6575e9c3b084cd8a762c31

      SHA256

      c4990862886b349f59c8a2d10ce1e84c39f6bc3cf50ba3bc2a97287c3becbedf

      SHA512

      047b175cd2c061a5d0d492674108febc10ef03b05691a7d89717b626c794b778534e013fcb509628260d5625954d2688faeef5a454fe311ebe0560064340a952

      Download Submit

    • memory/2236-48-0x0000000000400000-0x00000000004A9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/2652-72-0x0000000000400000-0x00000000004A9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/2652-71-0x0000000000400000-0x00000000004A9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/2880-91-0x0000000000400000-0x00000000004A9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/2880-102-0x0000000000400000-0x00000000004A9000-memory.dmp

      Filesize

      676KB

      Download