Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

2b5cff0897...5f.exe

windows7-x64

8

2b5cff0897...5f.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    87s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b5cff0897686a2750f8761c64a5555f.exe

  • Size

    15KB

  • MD5

    2b5cff0897686a2750f8761c64a5555f

  • SHA1

    dc65cf46526c5b04f2c1bab0bceb413c35f1f7f4

  • SHA256

    9996b1329a7f71432e25b092cbc77a162344c2531f222bba96add176ad3c83c0

  • SHA512

    5a6bfd83a40aafc038d8ca969e325b72b3c6f8113ed4b50e07ae84d7cd406ee07cb5d2987f89ae33beb8185871d58d59d1720ae0a0ac3c8764d261c1227e4d5e

  • SSDEEP

    384:NkqD50TkFdPiXWIn0lPybUI7vHLcbSYOHl:NGTkFdPGWIn0cN6l

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 33 IoCs
  • Drops file in Program Files directory 29 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b5cff0897686a2750f8761c64a5555f.exe
    "C:\Users\Admin\AppData\Local\Temp\2b5cff0897686a2750f8761c64a5555f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2B5CFF~1.EXE > nul
      2⤵
        PID:5092
      • \??\c:\windows\system\alg.exe
        c:\windows\system\alg.exe
        2⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4260
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\temp\*.* /q /s
      1⤵
        PID:4308

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
        Filesize

        303KB

        MD5

        c37c71ede592e4a6feee2fc7aec4fd9e

        SHA1

        fea5c8af4d38655fc513a6000c6b122afdf8581b

        SHA256

        da151a2e011074add6106ed3ae03c1ee03f79228d1a160fc1956f6422f2857e5

        SHA512

        de86844ec96dd01814a7f4d5287d74d6410ff942be3a466503c7ab9690ed4dfda8b0db9a1d29da40089054718cac58e39a86aed94bad1fa26adc5b71bc438eae

        Download Submit

      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
        Filesize

        93KB

        MD5

        19405c3a90ccb6c2b68a6163b71a93f5

        SHA1

        f134788bf078dbc1e98855321560b5e1a63a7831

        SHA256

        3ee9eaf9c337814f2cd793ec19ad076dc9b1a7df9b0b42c8bc1b588ee338b609

        SHA512

        f8c33b3960a550c72cdf47ce88288a456aa67bca2b555b74a52a62ec1ac45e8541676d9a2ae12b53fa92c94f2845bddbf027f2e97e39dfae86d3521ecb4a0938

        Download Submit

      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe
        Filesize

        122KB

        MD5

        16f564a785766172730440245b0140d5

        SHA1

        0eb715c86e16e183b9aeb4a8aa8a66c0a80e5396

        SHA256

        271da500ecdc8c9dbab597625b2bbdf1f9ec7489b9d93a3490fa2e694da9f194

        SHA512

        0984cafaede608c00c3117fbb75f00899f1a96be49010ac12c128ae49e290cfd1aa7a2180301054130766294ddba94638bfed2b9c9914d68ff98b669729db1e3

        Download Submit

      • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
        Filesize

        92KB

        MD5

        dca384871c637cc0764fe75205147c80

        SHA1

        03225f9cb5bddef4379b032195d5926956fb9927

        SHA256

        18f37ee61d0bfaccd524800605065ddee29ac720b9ed25ec0efc1822bc90b2c9

        SHA512

        357250f813e80086c639e7b57c9b807c27a81855a7691a66694c9089f1a95df8fe9fad8051cec3e5bb9ce9fbd1b8e9c8b5491031f94d2dd9303e2c63d0dcf414

        Download Submit

      • C:\odt\office2016setup.exe
        Filesize

        92KB

        MD5

        906c00ee1393213655bc6f04df3adae5

        SHA1

        f5a5746b2b4f7581a1022abb810b4535b477f96d

        SHA256

        3df384856ccfdf1cf115342a3affbb47d43ee8db8f74bb362b8a619047a38100

        SHA512

        abc27ef9be9c5eb815343c09f9910ae5fdb7315451dcd4136bccd7c4588bc028643759882d6b3be16ddaaccc06882d959527892f64b6ead21d48d18afc9f45f5

        Download Submit

      • C:\odt\office2016setup.exe
        Filesize

        381KB

        MD5

        6ebe3108a1c4d53579500b3e92998acb

        SHA1

        36f5a9ee3a55b9fa1be22782600cf9b4718304b4

        SHA256

        c1a2f79b34cbecdacff4827c75d5afdef63b39d3435dea1b64272db493bfb4e9

        SHA512

        95becc5153af4f0f4b4a346d1e3402c0617184111473d408e12b67836a2e7a1d2f6d7e8d8c5d85a316b34891629d91f057e71589054021f220e114de5a3c3841

        Download Submit

      • \??\c:\windows\system\alg.exe
        Filesize

        15KB

        MD5

        2b5cff0897686a2750f8761c64a5555f

        SHA1

        dc65cf46526c5b04f2c1bab0bceb413c35f1f7f4

        SHA256

        9996b1329a7f71432e25b092cbc77a162344c2531f222bba96add176ad3c83c0

        SHA512

        5a6bfd83a40aafc038d8ca969e325b72b3c6f8113ed4b50e07ae84d7cd406ee07cb5d2987f89ae33beb8185871d58d59d1720ae0a0ac3c8764d261c1227e4d5e

        Download Submit