Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

21ad40ebba...23.exe

windows7-x64

8

21ad40ebba...23.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 00:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21ad40ebba38ba8b5112e5efa800de23.exe

  • Size

    123KB

  • MD5

    21ad40ebba38ba8b5112e5efa800de23

  • SHA1

    3e2702cfd93c19a61ff840e90f2b8ae8a9219cc5

  • SHA256

    a68472503f47b5c26530df3d7f346cd94a2641f94fe81092c6e1dc968de543ba

  • SHA512

    205decc5aede504c71898d5f6a59002fb5f48014c4846e2110b0d3cf019daec3dc3f93f036f90c495ee168593d4a111d6360125f064b7607e516500db7ce4297

  • SSDEEP

    3072:JNV7lSLVJy8cfzsbZpZhrVFBmQy6Ge2QLxo:JPl0y/fcZbnlHGgLxo

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21ad40ebba38ba8b5112e5efa800de23.exe
    "C:\Users\Admin\AppData\Local\Temp\21ad40ebba38ba8b5112e5efa800de23.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\21ad40ebba38ba8b5112e5efa800de23.exe"
      2⤵
        PID:4892
      • C:\Windows\SysWOW64\inf\svchoct.exe
        "C:\Windows\system32\inf\svchoct.exe" C:\Windows\wftadfi16_081223a.dll d16tan
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "c:\mylbs3tecj.bat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2976
          • C:\Windows\system\sgcxcxxaspf081223.exe
            "C:\Windows\system\sgcxcxxaspf081223.exe" i
            4⤵
            • Adds policy Run key to start application
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Windows directory
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1040
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1820
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:368

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4F44.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QPBAQNGM\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Windows\SysWOW64\inf\svchoct.exe
      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      Download Submit

    • C:\Windows\System\sgcxcxxaspf081223.exe
      Filesize

      123KB

      MD5

      21ad40ebba38ba8b5112e5efa800de23

      SHA1

      3e2702cfd93c19a61ff840e90f2b8ae8a9219cc5

      SHA256

      a68472503f47b5c26530df3d7f346cd94a2641f94fe81092c6e1dc968de543ba

      SHA512

      205decc5aede504c71898d5f6a59002fb5f48014c4846e2110b0d3cf019daec3dc3f93f036f90c495ee168593d4a111d6360125f064b7607e516500db7ce4297

      Download Submit

    • C:\Windows\dcbdcatys32_081223a.dll
      Filesize

      236KB

      MD5

      f11e8839e7523778b7ce91fe7a405814

      SHA1

      35115ca4d16e3db0c6fd3e0ae298ac380e6da8cb

      SHA256

      5266e86873177107d5d8d3e8bc7c734ab84c71f828289cd2bc18e518a94eb17d

      SHA512

      f85894f1f8b7d17541dc5f3ed435d15108bcc5b06f20efe066c6f1712cb4ae5545a50182dc903a96a76f48ecbdb1b842930106a855c2b7b36beeb68f8140355f

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      133B

      MD5

      96db3991b815fcae6f7547e59c423601

      SHA1

      f068557a3b9456d9d3dc28a980cb65df6dc422ab

      SHA256

      fbde73ab608799c03d2139d50703abdf8106e88d7874a6fe6ec3cc20f83ba721

      SHA512

      3eb3567b71c3df4d6e4e58bff44e0ac031063e2bc44b9b0d8a81f0765db5ca5b1219797c364def05e1aae3ce8114808136ccca3b077a8a00cf384cd89bdae6f3

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      384B

      MD5

      3fe4da3002f9b667570fa0595525dbf9

      SHA1

      c010b89db5a2fee8a66e20e63c7c844c0ca2f33d

      SHA256

      3e845268ad5c6850141be7b96e228f25d3d0c8ec6a980ff048a044aa37b7fd27

      SHA512

      0d575d285cfff6472aece7f76e169f34c86d4454ce1fe8e1a055b8c8ec5a31ca9a126c01979d1d723c2b7710eb39450aca9205ef813fd73e079a33cb56749705

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      435B

      MD5

      57fefac010c031fe46ab21f2b4731b05

      SHA1

      e2f5328bb74ec22e461125195eb25cf1affa1b6e

      SHA256

      4a41697f7b21980f057a93c9331011738804300dbabb7de67b4c9d2e1ded06c1

      SHA512

      bb277c5c01cb290dd0e6907320c69c8f563e1db28d865bcf759aa6bf6b3e0bfd55297ec39bd0fddef449997811beb7ad6f1f2797c3074ac5f8bcb1a2ccf5aeff

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      468B

      MD5

      98879f19f60013702adbd4753b4297ec

      SHA1

      72582bf61b158c5ebb5b8c62d76b8f16554b489b

      SHA256

      5d282278d3c6dd792d42da16de8c8e5ddcc2b4d73edb28e187a02d9243da4a28

      SHA512

      f39a3e653657856615dbf8a8b0f7d3afd36e438a39eedf27dfe88da0e2f5fdd25a53254f302cfaf51abf401b8014e84bcc47891907f9bb833116679a652539fb

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      70B

      MD5

      6bc2707d4f367dcbe27f33969b861d14

      SHA1

      f76c20844691ec031ea297374a13eab9a1cec598

      SHA256

      c0b3697f097c241ec889493f24adf8286a093071ff2c32d51f63d517c38ad03c

      SHA512

      912d93eb34a4b1bb857710bb63bc295e9e7cba6ec164d75a9b9bdcef2c0ffb7648be0487f4a8c2e76a3decb12f4ec9115f04b696512ebab50185e1a92ec903af

      Download Submit

    • C:\Windows\tawisys.ini
      Filesize

      495B

      MD5

      61645ad3047e062a4ff7f3e7ad258cb7

      SHA1

      3d3214a9f53675003373372cbc21173d2464863d

      SHA256

      eb997f03412431a434b74b2b3107685f8e2ef6ba8a228182d3d8c715ab26bf77

      SHA512

      ebd67254c13c107609ae1f33cfa20f281222d26a714b7677ffb7c62613f535849867c6d7d5d29cceb2071e6dfc94881afc3bac7c5e8ae17d11c81b33ba0c7ae3

      Download Submit

    • C:\Windows\wftadfi16_081223a.dll
      Filesize

      36KB

      MD5

      201dff7c81ae1e05d4550bfaf93ad469

      SHA1

      cae1e5530988734f89521e46f4890eaeaab3b84c

      SHA256

      8ef55757f30292b735e694b471c926dd31d6c674f89bc8abff4e9ae9575d411d

      SHA512

      15ab50e0165964c3c40f98003c741011b5cf1f05bccfe57d5ef7c71e29d99a54bea800b6bc7b9e4f8987192be30a52ef4dc7160649aa367e5a2cb250ed0a92dc

      Download Submit

    • \??\c:\mylbs3tecj.bat
      Filesize

      53B

      MD5

      da61e5e79afbc1c6f145fbbb67694d44

      SHA1

      a3cfcbf1b3da4bfa7a481757ae3f95e06b02f1cc

      SHA256

      fe892d6088d6f97bd93fb1539be587f5202f2623f6105a48cb88bbb197fa9a92

      SHA512

      36bdc3f9013019b3d2859b6b230c0c57acede2ddc7cfe4d68cb149e66bc303d080ac7f46124e7e0293055ac31434b73397ad5e175e7ec5181cff0063fa4c3488

      Download Submit

    • memory/1040-86-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/1040-93-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/1040-66-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/2108-0-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/2108-59-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4372-76-0x00000000006C0000-0x00000000006CF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/4372-58-0x00000000006C0000-0x00000000006CF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/4372-122-0x00000000006C0000-0x00000000006CF000-memory.dmp

      Filesize

      60KB

      Download