Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

7dde2cadb7...3c.exe

windows7-x64

8

7dde2cadb7...3c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    1s
  • max time network
    10s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/01/2024, 15:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7dde2cadb794e170aadfa6453a767d3c.exe

  • Size

    940KB

  • MD5

    7dde2cadb794e170aadfa6453a767d3c

  • SHA1

    dc5e8c1cb38f132d8506690348cabb84c104e15b

  • SHA256

    94bfdd9963e0a7fe4ee4488edbeebbd5b0d69fc8f5325f4006f159d4e2067236

  • SHA512

    5c2a2c99b3a97301ff89a4376d244faa536aaba4428467ce2fbe103b4f4411e0bbf400590941f39c91012eceaec27f5f3d151572ee899445f8bd975b61ccfd1a

  • SSDEEP

    24576:ImRKvOCv3utr5OUR0cl6zvozvaHMwINz3eptIC7U:ImovOC/uXgclWoj7wiiptIoU

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe
    "C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe
      C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
        3⤵
          PID:912
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          3⤵
            PID:4664
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe:*:Enabled:Windows Messanger" /f
            3⤵
              PID:4988
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              3⤵
                PID:4388
          • C:\Users\Admin\AppData\Local\Temp\K7W3326XSO.exe
            C:\Users\Admin\AppData\Local\Temp\K7W3326XSO.exe
            1⤵
            • Executes dropped EXE
            PID:1948
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adesao.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\adesao.exe"
              2⤵
                PID:400
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              1⤵
              • Modifies registry key
              PID:3768
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe:*:Enabled:Windows Messanger" /f
              1⤵
              • Modifies registry key
              PID:2160
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              1⤵
              • Modifies registry key
              PID:1636
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
              1⤵
              • Modifies registry key
              PID:1008

            Network

            • flag-us
              DNS
              16.53.126.40.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              16.53.126.40.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              tse1.mm.bing.net
              Remote address:
              8.8.8.8:53
              Request
              tse1.mm.bing.net
              IN A
              Response
              tse1.mm.bing.net
              IN CNAME
              mm-mm.bing.net.trafficmanager.net
              mm-mm.bing.net.trafficmanager.net
              IN CNAME
              dual-a-0001.a-msedge.net
              dual-a-0001.a-msedge.net
              IN A
              204.79.197.200
              dual-a-0001.a-msedge.net
              IN A
              13.107.21.200
            • flag-us
              DNS
              tse1.mm.bing.net
              Remote address:
              8.8.8.8:53
              Request
              tse1.mm.bing.net
              IN A
            • flag-us
              DNS
              blackxpazit.no-ip.biz
              Remote address:
              8.8.8.8:53
              Request
              blackxpazit.no-ip.biz
              IN A
              Response
              blackxpazit.no-ip.biz
              IN A
              212.117.48.248
            • flag-us
              DNS
              210.178.17.96.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              210.178.17.96.in-addr.arpa
              IN PTR
              Response
              210.178.17.96.in-addr.arpa
              IN PTR
              a96-17-178-210deploystaticakamaitechnologiescom
            • flag-us
              DNS
              g.bing.com
              Remote address:
              8.8.8.8:53
              Request
              g.bing.com
              IN A
              Response
              g.bing.com
              IN CNAME
              g-bing-com.a-0001.a-msedge.net
              g-bing-com.a-0001.a-msedge.net
              IN CNAME
              dual-a-0001.a-msedge.net
              dual-a-0001.a-msedge.net
              IN A
              204.79.197.200
              dual-a-0001.a-msedge.net
              IN A
              13.107.21.200
            • flag-us
              DNS
              g.bing.com
              Remote address:
              8.8.8.8:53
              Request
              g.bing.com
              IN A
            • flag-us
              DNS
              2.136.104.51.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              2.136.104.51.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              2.136.104.51.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              2.136.104.51.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              95.221.229.192.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              95.221.229.192.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              95.221.229.192.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              95.221.229.192.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              95.221.229.192.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              95.221.229.192.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              9.228.82.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              9.228.82.20.in-addr.arpa
              IN PTR
              Response
            • flag-us
              DNS
              9.228.82.20.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              9.228.82.20.in-addr.arpa
              IN PTR
            • flag-us
              DNS
              200.197.79.204.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              200.197.79.204.in-addr.arpa
              IN PTR
              Response
              200.197.79.204.in-addr.arpa
              IN PTR
              a-0001a-msedgenet
            • flag-us
              DNS
              200.197.79.204.in-addr.arpa
              Remote address:
              8.8.8.8:53
              Request
              200.197.79.204.in-addr.arpa
              IN PTR
            • 212.117.48.248:3080
              blackxpazit.no-ip.biz
              156 B
               3
            • 201.25.28.9:80
              156 B
               3
            • 204.79.197.200:443
              tse1.mm.bing.net
              tls
              18.6kB
               496.5kB
               371
              366
            • 204.79.197.200:443
              g.bing.com
              tls
              3.6kB
               9.2kB
               23
              14
            • 8.8.8.8:53
              16.53.126.40.in-addr.arpa
              dns
              71 B
               157 B
               1
              1

              DNS Request

              16.53.126.40.in-addr.arpa

            • 8.8.8.8:53
              tse1.mm.bing.net
              dns
              124 B
               173 B
               2
              1

              DNS Request

              tse1.mm.bing.net

              DNS Request

              tse1.mm.bing.net

              DNS Response

              204.79.197.200
              13.107.21.200

            • 8.8.8.8:53
              blackxpazit.no-ip.biz
              dns
              67 B
               83 B
               1
              1

              DNS Request

              blackxpazit.no-ip.biz

              DNS Response

              212.117.48.248

            • 8.8.8.8:53
              210.178.17.96.in-addr.arpa
              dns
              72 B
               137 B
               1
              1

              DNS Request

              210.178.17.96.in-addr.arpa

            • 8.8.8.8:53
              g.bing.com
              dns
              112 B
               158 B
               2
              1

              DNS Request

              g.bing.com

              DNS Request

              g.bing.com

              DNS Response

              204.79.197.200
              13.107.21.200

            • 8.8.8.8:53
              2.136.104.51.in-addr.arpa
              dns
              142 B
               157 B
               2
              1

              DNS Request

              2.136.104.51.in-addr.arpa

              DNS Request

              2.136.104.51.in-addr.arpa

            • 8.8.8.8:53
              95.221.229.192.in-addr.arpa
              dns
              219 B
               144 B
               3
              1

              DNS Request

              95.221.229.192.in-addr.arpa

              DNS Request

              95.221.229.192.in-addr.arpa

              DNS Request

              95.221.229.192.in-addr.arpa

            • 8.8.8.8:53
              9.228.82.20.in-addr.arpa
              dns
              140 B
               156 B
               2
              1

              DNS Request

              9.228.82.20.in-addr.arpa

              DNS Request

              9.228.82.20.in-addr.arpa

            • 8.8.8.8:53
              200.197.79.204.in-addr.arpa
              dns
              146 B
               106 B
               2
              1

              DNS Request

              200.197.79.204.in-addr.arpa

              DNS Request

              200.197.79.204.in-addr.arpa

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/400-32-0x0000000000400000-0x00000000005A9000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/400-40-0x00000000024B0000-0x00000000024B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/400-39-0x0000000000400000-0x00000000005A9000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/400-28-0x00000000024B0000-0x00000000024B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1632-18-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

              Filesize

              960KB

              Download

            • memory/1632-42-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-2-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-29-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-20-0x00000000776B6000-0x00000000776B7000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1632-33-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-35-0x0000000076D60000-0x0000000076DDA000-memory.dmp

              Filesize

              488KB

              Download

            • memory/1632-34-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

              Filesize

              960KB

              Download

            • memory/1632-5-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-36-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-6-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-19-0x0000000076D60000-0x0000000076DDA000-memory.dmp

              Filesize

              488KB

              Download

            • memory/1632-46-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-50-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-55-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-59-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-63-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-68-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-72-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-76-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-80-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-85-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            • memory/1632-89-0x0000000000400000-0x0000000000473000-memory.dmp

              Filesize

              460KB

              Download

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.