Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a9c2172254...a2.exe

windows7-x64

10

a9c2172254...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9c2172254f10dc583dd94a401b3fca2.exe

  • Size

    484KB

  • MD5

    a9c2172254f10dc583dd94a401b3fca2

  • SHA1

    63c31ede15a31901f8b47827e34a74aff5cedb25

  • SHA256

    327b66866a45b85df111f5d39514e2adbc986261037f6283cdd52d1814643679

  • SHA512

    392689725261e5f340ce498f63118650b5e2e79a52ee24b3214db320f876dd576f4a5fa7a001b76653c298d26b8494fa1f39770b0ed4c63548f1d224afb82140

  • SSDEEP

    12288:4oUld/f2I9JECdYW4/e4Pii15XZSAmKjlafbdDNUQ:i92ILECd0R15XZS3QafpDNUQ

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:336
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\a9c2172254f10dc583dd94a401b3fca2.exe
      "C:\Users\Admin\AppData\Local\Temp\a9c2172254f10dc583dd94a401b3fca2.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Users\Admin\LB9c4j3K.exe
        C:\Users\Admin\LB9c4j3K.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Users\Admin\touivu.exe
          "C:\Users\Admin\touivu.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:616
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del LB9c4j3K.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2584
      • C:\Users\Admin\aahost.exe
        C:\Users\Admin\aahost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Users\Admin\aahost.exe
          "C:\Users\Admin\aahost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 88
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:2764
      • C:\Users\Admin\bshost.exe
        C:\Users\Admin\bshost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
            PID:1356
        • C:\Users\Admin\dyhost.exe
          C:\Users\Admin\dyhost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2032
        • C:\Users\Admin\ekhost.exe
          C:\Users\Admin\ekhost.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe
            4⤵
              PID:1496
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                5⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:1308
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del a9c2172254f10dc583dd94a401b3fca2.exe
            3⤵
            • Deletes itself
            • Suspicious use of WriteProcessMemory
            PID:820
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        1⤵
          PID:864
          • C:\Windows\system32\wbem\WMIADAP.EXE
            wmiadap.exe /F /T /R
            2⤵
              PID:808
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:772
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              1⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2020
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
              • Loads dropped DLL
              PID:2128
            • C:\Windows\system32\wbem\wmiprvse.exe
              C:\Windows\system32\wbem\wmiprvse.exe -Embedding
              1⤵
                PID:904

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\calc.exe
                Filesize

                764KB

                MD5

                e381b04abf596ed1573154cd41f418dc

                SHA1

                2ad1df7bebf1e4c0715adbf76c8c14b9162edf2e

                SHA256

                02b08664fcc196f15ff0e33e7ed43e9e78af7b564e3f7c5388dd7d0267905fe6

                SHA512

                44307e60bdc804b3abe710a21e2268960dcc9d29671cf8ce723e40721b6b38ae338c49cd1b9cfd4fa8fa4f644cc80414baeb70f136f39f73833f8373f8180858

                Download Submit

              • C:\Users\Admin\ekhost.exe
                Filesize

                24KB

                MD5

                9fe0e5252dc24fc1788b0d8b26026807

                SHA1

                21e3063a0fac1157b9707861048c5f7fbd070ceb

                SHA256

                9c99c968d969c2d5c1570c6066957d726bc19ffe9e0562242ce1bf79514c1b40

                SHA512

                613f5c821dfcef8124ecb7c9b118cda14be4d72a26f1a21ffde81c4d8aae4f315740d66c298e5963b0647f0ecd9e2d63d9bbb8df4e0c731019896e7ac0391d5c

                Download Submit

              • \Users\Admin\LB9c4j3K.exe
                Filesize

                212KB

                MD5

                fa0eb2a8b561ea9afc6a51709ff0d7de

                SHA1

                4ef5265f5b5bb1a4857e7668f132405c799da155

                SHA256

                99ecfb1bb7cdb1e8dd609e60b10d5346b90284172c854b6234631212dd501c4f

                SHA512

                0e8b194cb0e65429b84ac32a0fa131d072f7f425804df192d7a90a7ec6eb7ce9991716ce5a9ca3bcd106181076832d5fa7d6f9cbe67fc80a427ef7980beb75c6

                Download Submit

              • \Users\Admin\aahost.exe
                Filesize

                140KB

                MD5

                93ea44e078cb0477614729636866a84b

                SHA1

                f9752413d48fd98a77cfce8fff04a7a0d72c26d8

                SHA256

                c16c3df8b6b4187e04a6abb49a15eb02ccefdce86068960ab3afeb088bf4ba27

                SHA512

                351bafb9dc5395a9cd1393b76cba405312a5d85a59e5b1c0e891c2de1343b2bc2765a40077e4155fbd9a5578db3be66ace35e27ff02cb32f813ba01db4fc1113

                Download Submit

              • \Users\Admin\bshost.exe
                Filesize

                260KB

                MD5

                bbc0a2fe1284778896b57ffc5701aefa

                SHA1

                6b9a0106b82c63265936ce728a858d258c8f6b14

                SHA256

                92fad55bc5c7438d0f36501581b4b958efba2fbe5db02b97093a79b8a19645a0

                SHA512

                8a17a1ed99a99a270191684b0337836531934b8717e78481815fd18767a172e6d7cf89488926dd2ea1b9e9ccaf53afd29c6925beaeb2fa7fa918be0e416be930

                Download Submit

              • \Users\Admin\touivu.exe
                Filesize

                212KB

                MD5

                8aec8b8574004b105036d4cce272ab0a

                SHA1

                f777dd95f2b8c710b0e5787207b6ee82e1ea305d

                SHA256

                b5c40312b2f2ed639eb908058dcdb60107a33d9f6731281f6e4536c5e2e5c0e2

                SHA512

                a7f070bac6b05ac25c0bd04aa71cee389322ab00306ddce0987589d0d1434bd3df361e191bcd48206b8c44ed2f953dd60fd4f35c979bb727f7480f3a7905f05a

                Download Submit

              • \Windows\assembly\GAC_32\Desktop.ini
                Filesize

                4KB

                MD5

                878f9b6da85cb98fcbdf6abd1730a32f

                SHA1

                343007e658ea541f4680b4edf4513e69e1cc18a6

                SHA256

                75b5a460ed6f47fca8ec1bcd8a11b22f24fb33de4d5f307b851ad20c7f831b7d

                SHA512

                5425844e34ad5e717b08830020526f5c9465f654f3e9e29967b2983d5cb8dc225be2b89cd29a8e4cc99fcfc99e05556f66eefa0539283ab4569e603413a37293

                Download Submit

              • \Windows\assembly\GAC_64\Desktop.ini
                Filesize

                5KB

                MD5

                9d7ec1e355ac35cbe6991721ef5ae3b8

                SHA1

                c35a00bd35c6e4a7516b93947be08ead966347e8

                SHA256

                68a3cec42215323100398a8eb2cbb37da7d58fe0fa9c6312e954e0f50a95ca98

                SHA512

                b7c4be28d8e179974672205a50e72fa1ec9e2e8170b3b8ee763e1751a3397c35afec7a72c88f0a79a8566749b2af1ff054660a96c3a6d6508c545d316a035dc0

                Download Submit

              • memory/336-108-0x0000000000C80000-0x0000000000C92000-memory.dmp

                Filesize

                72KB

                Download

              • memory/336-146-0x0000000000C80000-0x0000000000C92000-memory.dmp

                Filesize

                72KB

                Download

              • memory/336-106-0x0000000000C80000-0x0000000000C92000-memory.dmp

                Filesize

                72KB

                Download

              • memory/336-107-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/864-165-0x00000000001B0000-0x00000000001BB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/864-149-0x00000000001A0000-0x00000000001AB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/864-162-0x00000000001B0000-0x00000000001BB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/864-160-0x00000000001B0000-0x00000000001BB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/864-159-0x00000000001A0000-0x00000000001AB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/864-155-0x00000000001A0000-0x00000000001AB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/864-152-0x0000000000190000-0x0000000000198000-memory.dmp

                Filesize

                32KB

                Download

              • memory/1192-96-0x0000000002E80000-0x0000000002E86000-memory.dmp

                Filesize

                24KB

                Download

              • memory/1192-91-0x0000000002E70000-0x0000000002E72000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1192-90-0x0000000002E80000-0x0000000002E86000-memory.dmp

                Filesize

                24KB

                Download

              • memory/1192-100-0x0000000002E80000-0x0000000002E86000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2388-76-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-89-0x00000000002D0000-0x00000000002D1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2388-78-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-82-0x0000000000290000-0x0000000000291000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2388-74-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-73-0x0000000000280000-0x0000000000281000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2388-72-0x0000000000230000-0x0000000000274000-memory.dmp

                Filesize

                272KB

                Download

              • memory/2388-71-0x0000000000400000-0x0000000000444000-memory.dmp

                Filesize

                272KB

                Download

              • memory/2388-68-0x0000000000400000-0x0000000000444000-memory.dmp

                Filesize

                272KB

                Download

              • memory/2388-69-0x0000000000400000-0x0000000000444000-memory.dmp

                Filesize

                272KB

                Download

              • memory/2388-70-0x0000000000220000-0x0000000000221000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2388-79-0x0000000000400000-0x0000000000444000-memory.dmp

                Filesize

                272KB

                Download

              • memory/2388-81-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-114-0x0000000000450000-0x000000000048E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-113-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-111-0x0000000000400000-0x0000000000444000-memory.dmp

                Filesize

                272KB

                Download

              • memory/2388-83-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-84-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-86-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-93-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-87-0x0000000000450000-0x000000000048E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-88-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2388-80-0x00000000003B0000-0x00000000003EE000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2492-38-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2492-40-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2492-50-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2492-51-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2492-52-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2492-46-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2492-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2492-42-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2940-67-0x0000000000370000-0x00000000003B4000-memory.dmp

                Filesize

                272KB

                Download