Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

41151e1d13...9f.exe

windows7-x64

7

41151e1d13...9f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/01/2024, 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41151e1d13fe8f835b06c5b6538df69f.exe

  • Size

    178KB

  • MD5

    41151e1d13fe8f835b06c5b6538df69f

  • SHA1

    87b504c9840891412e36884bf351fee4b12ab546

  • SHA256

    e8782ceb49f1fe55510c907ad7c95601a89e7fd9ba6f0859c5cc9fd436772d8c

  • SHA512

    c1d275b11502eeeb99b48b8063e2b8d27898b129bb6dd469d358b1ab396fb69d7a3bcb055eb6a88fc96a95a3c51eeb58ec33cbdc1486390992ce4d2957b2c48d

  • SSDEEP

    3072:2wjmK0lZmJAQcD9sBNI9wMsxjhIPYDDlqdLv45q/yXs30rzqQ/vEEfjMvR:2bNWY9SIuMUhIPAqdLvuooGQnFM5

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41151e1d13fe8f835b06c5b6538df69f.exe
    "C:\Users\Admin\AppData\Local\Temp\41151e1d13fe8f835b06c5b6538df69f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Users\Admin\AppData\Local\Temp\nsa47E8.tmp\ctfmon.exe
      "C:\Users\Admin\AppData\Local\Temp\nsa47E8.tmp\ctfmon.exe"
      2⤵
      • Executes dropped EXE
      PID:4364
    • C:\Users\Admin\AppData\Local\Temp\nsa47E8.tmp\300186c696818226368e927051ab1f357b60c.exe
      "C:\Users\Admin\AppData\Local\Temp\nsa47E8.tmp\300186c696818226368e927051ab1f357b60c.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:1284

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsa47E8.tmp\300186c696818226368e927051ab1f357b60c.exe
      Filesize

      204KB

      MD5

      6c696818226368e927051ab1f357b60c

      SHA1

      d2defb422d235bf1facf6d71582db6ad0c727733

      SHA256

      46513d97253718f72a01db0ebd0a938e7df778080facadf7b7d2fbe7cdfb3808

      SHA512

      29d9104888f48d069ca7e9b250e33bb1a4ead3cc10682dfdfefa8d49fc84d2eb1ba14bee3471a88853df8d04d6a695b098f4a8c7533cd6503bdeca0caeb2b923

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsa47E8.tmp\ctfmon.exe
      Filesize

      3KB

      MD5

      46e07fd3a40760fda18cf6b4fc691742

      SHA1

      53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

      SHA256

      bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

      SHA512

      ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

      Download Submit

    • memory/1116-26-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1116-27-0x0000000000510000-0x000000000053A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1116-28-0x00000000008E0000-0x00000000008E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1116-29-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1116-31-0x0000000000510000-0x000000000053A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1116-32-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download