Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b35413142e...3a.exe

windows7-x64

10

b35413142e...3a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe

  • Size

    2.5MB

  • MD5

    f3b0179ba1f2f60ea88c4f14c4e7a829

  • SHA1

    cada0b63415bfdafac480da21742d673a6f1d359

  • SHA256

    b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a

  • SHA512

    fd4f6e6eec6e565435c7fd7d6e5f79d7f59cca0e9ef068f370c65b270d5d4fa034b0990ecb8fb4427ee58ff5048b88130c2b80002e7d63a15c0b4aec2d342303

  • SSDEEP

    49152:VkJD9VUS2v2/czNA6XgbuzDUyjYFb1nbuZvaMba5A7e0JSkJsGdLtFprqRbFFjfr:y9ESLEzNA6XAycRpuwiPBOGdZGxFFrJh

Score
10/10
googleevasionpersistencephishingtrojan

Malware Config

Signatures

  • Detected google phishing page
    phishinggoogle
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe
    "C:\Users\Admin\AppData\Local\Temp\b35413142e0ffa56479335bb15a37fa10c531034b0bb137f5643969a0ae76b3a.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fo7Qf38.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5yN0yH9.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1872
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Get-MpPreference -verbose
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1868
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
            5⤵
              PID:852
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
                6⤵
                • Creates scheduled task(s)
                PID:2012
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
              5⤵
                PID:1292
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
                  6⤵
                  • Creates scheduled task(s)
                  PID:2144
      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OC4417.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2372
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2452
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1060
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:275457 /prefetch:2
            3⤵
            • Suspicious use of SetWindowsHookEx
            PID:2832

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        7980d9ccda3c40de6c9d0e96f69b3a10

        SHA1

        c9a18d0c8cdc3c30a93faa478e8b5fd1600e4b3f

        SHA256

        f024a25aec5a97dd4bb2433ff753a5999e4de166d234419b23c6ee13ec44f778

        SHA512

        ad3c6ba0437f9095125c68608a578acdc08fe6f9520f705a71673dc5a27a662980e290124e6f0c31c065d6e0c95d70064326857f0d3f41392942164a34be7f2c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        e932946aa4bcdd5d65c2b9784b7f1b29

        SHA1

        028ce9afc7c4c1b33869beb6312ef022dd50c04d

        SHA256

        ebd8091d86165ff4b1ba42a3ee0af4266d1844d46a073c1314a536050c273446

        SHA512

        964cc7c7b6ccfebb33d0a70ed8479c24582981770515f21c4e691f38afa1d844d77ca4e60dc9c81e4f60a6a13144b25f559f4035e475014be778d9d524f4289d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        b6ed5300f1775fea4bcbbc51aeb019cd

        SHA1

        f79fac827bff5c541e078cfc88dd6694ef857a54

        SHA256

        0bdbc81a897bcf3202390da9c41c2de0719b6eea4221aec08a014c43c96dc3f2

        SHA512

        f7853e2b372548ff3e67dfbc6b23d46d3b9cef80619703ba13079a3ed8d36165fec5e559107f46dc3a39954581b63bd60cf31794d3b0673eed40ba4bf049563d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        a9a03d98165b0cf4b3fb46a39ba69de1

        SHA1

        7c49366b0c3c6340036d302c68e38869231078f0

        SHA256

        18d33acd46336814ef48a77f3ea3cfa570e30bcbc8e17236c8ef40c55d4ccad8

        SHA512

        c95d74ba18ef1a2c53c635de51f9ee11b894c243031e9e3c2dfc9316eb43be169fb7f4f3f526bf05ec882b5b926914ab10b9700ec25cb9c10d61f82a90c7ea26

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        00befa826910c77fdb3cf75ac7f76dd5

        SHA1

        46626a6d495d5e5aafe73c7ad6dd44c8f892c3be

        SHA256

        c9949e6f59fcd03bb775d41075d8284483f250343d47ac260d4cdb1f47b3f202

        SHA512

        b449cf80bbca0d4e5ac7d07768083ec372047db4eac8b8a6b7fbbc9fd3239b7c0d5e2fc5a465baf905dd0d429afac94ae901ec3c2a8768a283f64297564c1c1b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        ad63f6416cfa3b9bd2f6b5b6dfd396ba

        SHA1

        76498daf3820c6a5f26058a03b2d2622aeaf8101

        SHA256

        3ae8f065db71455229f009e607c4579327797405c8ded0077a6ae5b0da8a8cdc

        SHA512

        6bae14674db34a6cc71a8b105f76db196510eed974c6cfd1bcb97c61d8545e3d4015748ab07c3e07fb48bbff14d4ebee5e34d5480ce3c40c8a9f3af7c8caa414

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
        Filesize

        641KB

        MD5

        6a19f2fbfa7b8b17d0efeb801ecdb233

        SHA1

        a84c70d3c6b49adde66d18ab52366d09f840e7f7

        SHA256

        941aad9b74506d7a5a35d5234dc5febf82bff1ba84379da0b20180ef264ddea7

        SHA512

        c8fc42777b8396eabdb28622f8f3a1897a26d1645ac246231d953ba7158b422fbabf89d244db12f02ba28ac722c43aff6e2ed44a1cdca1bbec5b40d204eaf5d4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
        Filesize

        129KB

        MD5

        c01da65814ef655c5531b8dea72ec60f

        SHA1

        4be2db0ebec876ab423dc774c29d39ff4910b239

        SHA256

        2d7f707460001f42818aac1cf43b780eee1c8dbe6cae817ee493150df64f6904

        SHA512

        6c3ebf65c7f294397d75053dc75027183e274f0a999b4c35b98bdb18fa0da0b746124d26fec25ad7a1635b95d0057e95873e4296bfd481346742a8887e84da43

        Download Submit

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
        Filesize

        1.3MB

        MD5

        04e22e4bb4d40dd433682c084bc484f0

        SHA1

        7ced37a92dde45e6dde394f1db7d8aecf2f7a988

        SHA256

        e47e1ae4862e95287a0735c9566f2bbb5dbb828b128518533802bae6ead13507

        SHA512

        618beee4c2ff17beb4081b00db49a3f052e9f453761a52da4867ca89ae6e1dd10647a181553a0cdc406b821f2979a09e2a29965fe99b38551be01c3ff958ed61

        Download Submit

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\EU6Wr47.exe
        Filesize

        103KB

        MD5

        1251b8163afe401faffbfc2924e3e2b1

        SHA1

        b4afbda5fa48643f300b1a753ba709105c2f7ddd

        SHA256

        777176358b068d395bd29324e58be6aeeb52315c9a3801848e2a912a6402a829

        SHA512

        0a86ba5ffa1431e89fd1437b393a719ec04795970c7282082a78c394c3a88c40881fb1e17a5707e7482dd98f5e9b7d9899a875deb18a90288ea1959ac251dfc6

        Download Submit

      • memory/1868-177-0x000000006D700000-0x000000006DCAB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1868-197-0x00000000024F0000-0x0000000002530000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1868-238-0x000000006D700000-0x000000006DCAB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1872-42-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-245-0x00000000025F0000-0x0000000002600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1872-596-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-732-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-763-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-769-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-848-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-248-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-247-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-249-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-1297-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-38-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-37-0x0000000001160000-0x00000000015BE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-1290-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-1292-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-1293-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-1294-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-1295-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/1872-1296-0x0000000000350000-0x00000000007AE000-memory.dmp

        Filesize

        4.4MB

        Download

      • memory/2400-34-0x00000000026E0000-0x0000000002B3E000-memory.dmp

        Filesize

        4.4MB

        Download