Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

21c3c367ee...9a.exe

windows7-x64

10

21c3c367ee...9a.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 00:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21c3c367eeeb6174276891ad87e9879a.exe

  • Size

    31KB

  • MD5

    21c3c367eeeb6174276891ad87e9879a

  • SHA1

    a8363b5ca07877cf06ca16712ba4b56963589736

  • SHA256

    b01280a4c6fdab5e4bc54cf5865b3bf0740067a70c2eacf2fe795f0c18db927a

  • SHA512

    4fb1d48227b3dab7d8694965bd332ed16d0b56929caa17a1ebcb240344eb20518d903d81ef21d4096ec5577124ff07a39e77565a09a0b7dcdf4c320684510d22

  • SSDEEP

    768:VbMk8T8t4U0XYbWkUaWfeyZ0HDkjiPcnbcuyD7UjNWGg:Vw+P0obWkUwSjPnouy8JS

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\21c3c367eeeb6174276891ad87e9879a.exe
    "C:\Users\Admin\AppData\Local\Temp\21c3c367eeeb6174276891ad87e9879a.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1888

Network

  • flag-us
    DNS
    c.shidaihuabian.com
    21c3c367eeeb6174276891ad87e9879a.exe
    Remote address:
    8.8.8.8:53
    Request
    c.shidaihuabian.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    c.shidaihuabian.com
    dns
    21c3c367eeeb6174276891ad87e9879a.exe
    65 B
     138 B
     1
    1

    DNS Request

    c.shidaihuabian.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\259430910.DLL
    Filesize

    12.1MB

    MD5

    d5ae1480054364becaf44f15f84db2f7

    SHA1

    73a46e6049589e6358c46dde4815f91151039122

    SHA256

    92b6933287c3e43f6393573d5a40f4609db05afc720c0b6fc22d05b17f013d3a

    SHA512

    11c6f9d2db8d533136d98dd060b036525b4a88faa9061fc20a03794d9119bb12a6d4a6fdfa138c94885ddf564e5af34bbac59b0b4bd459c3a6ecf9e277c7d269

    Download Submit

  • memory/1888-0-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1888-5-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.