Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ab7a3de713...f2.exe

windows7-x64

10

ab7a3de713...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab7a3de7135318c2263530b855a14ff2.exe

  • Size

    452KB

  • MD5

    ab7a3de7135318c2263530b855a14ff2

  • SHA1

    0772f238e91d06a36c1fc3705a1cf6e65e14739b

  • SHA256

    9a351bd7f2a3ef4b58c2e54b4bc43bbc2d1dd41db7d2787c2007b58b570cb73a

  • SHA512

    13424cffe12a21b0826bab06cd7c73835c5346929604857285e7e0da7d1a63b1fe5d87e82f203ef9c1e5ab2024bf2e4826e3b741f922089a40c707c0f0d98903

  • SSDEEP

    12288:9YU476vtic2xSNc8DtoQRWIvf5qZ4KAlPfEOX:2utj22c8RVWFZ3ARsOX

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 15 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:336
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1264
      • C:\Users\Admin\AppData\Local\Temp\ab7a3de7135318c2263530b855a14ff2.exe
        "C:\Users\Admin\AppData\Local\Temp\ab7a3de7135318c2263530b855a14ff2.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Users\Admin\jm9su7UE.exe
          C:\Users\Admin\jm9su7UE.exe
          3⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3056
          • C:\Users\Admin\pueozox.exe
            "C:\Users\Admin\pueozox.exe"
            4⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2716
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del jm9su7UE.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2916
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              5⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1180
        • C:\Users\Admin\auhost.exe
          C:\Users\Admin\auhost.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Users\Admin\auhost.exe
            "C:\Users\Admin\auhost.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2824
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 88
              5⤵
              • Loads dropped DLL
              • Program crash
              PID:2744
        • C:\Users\Admin\bqhost.exe
          C:\Users\Admin\bqhost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            4⤵
              PID:1952
          • C:\Users\Admin\elhost.exe
            C:\Users\Admin\elhost.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2512
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c tasklist&&del ab7a3de7135318c2263530b855a14ff2.exe
            3⤵
            • Deletes itself
            • Suspicious use of WriteProcessMemory
            PID:596
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1620
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        1⤵
          PID:864
          • C:\Windows\system32\wbem\WMIADAP.EXE
            wmiadap.exe /F /T /R
            2⤵
              PID:1640
          • C:\Windows\system32\wbem\wmiprvse.exe
            C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            1⤵
              PID:1668
            • C:\Windows\system32\wbem\wmiprvse.exe
              C:\Windows\system32\wbem\wmiprvse.exe -Embedding
              1⤵
                PID:1528

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\elhost.exe
                Filesize

                48KB

                MD5

                82cd7f18c0c82c6c4228033a8dcaef8b

                SHA1

                66f78542b3ee762e4b189f658f37d01dbf0aff43

                SHA256

                18ec72076fb151ad97aeaa5e18d357aeb77c405dd867703e6709b9ede40cb237

                SHA512

                f9306ced3be80943b19c4fab575f1070bee46f9c049de988e9ec737ce6b320c66c82eec9a2cbed8f598514da2a21459bb7c25d514173afd566cd76d97a070142

                Download Submit

              • C:\Windows\system32\consrv.dll
                Filesize

                53KB

                MD5

                4d7cde615a0f534bd5e359951829554b

                SHA1

                c885d00d9000f2a5dbc78f6193a052b36f4fe968

                SHA256

                414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a

                SHA512

                33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4

                Download Submit

              • \??\globalroot\systemroot\assembly\temp\@
                Filesize

                2KB

                MD5

                06c162177888bd1ec8aed7ab2acdf4ad

                SHA1

                cfc1a0ea75509c8cd00dc94f8365f759396340cc

                SHA256

                c924fcf486f5bfc2742c36240489eb7dd08513f6bb5b364a317399513298857d

                SHA512

                2836cfebca229493185fa1fe53cbfb0673bc7815bfd807c5dad5537ccfaa1c59abd17eb06125467fceaaabf233fcd0a86c926d1c65f423ed782bda4756a39706

                Download Submit

              • \Users\Admin\auhost.exe
                Filesize

                60KB

                MD5

                0ce1e9a2bc7b4a2b10a847acace8f337

                SHA1

                7698c4d822146dd757c6b39bdcec8d443860c099

                SHA256

                1fa5dca1771d75940cd5364edb358d914baaefdc56f2d21d573bbce22d41b205

                SHA512

                6b0be69db960889d5be8e89e92c7e3c82fa07430ebf16ad1d2fb77ad1a23d0358c0f7e44f75d16da2722abc4998cba88f6b08090b3a4b7f8b1400ae6001a1bb7

                Download Submit

              • \Users\Admin\bqhost.exe
                Filesize

                260KB

                MD5

                880ec3876f5d5687be0f9099c1d629ee

                SHA1

                6b6e56229204e16285f44684a4fa904ded59beef

                SHA256

                d65d3acf805651b38ec3c6eee1fb4efa83824fdd7e407495cdb9f6ad9b8e0c7d

                SHA512

                2fa67fd0e315ea45ea2e54afcf42ff3795b5a64326470f7bb285adb8e840ba68de02fb1d518bc34d94067b8ef7d5e2865718fff9a805193c2b6f128d546f6434

                Download Submit

              • \Users\Admin\jm9su7UE.exe
                Filesize

                212KB

                MD5

                e533f129e341c16a690960697fbb5c27

                SHA1

                c1c945168f49e1e312b77f518e1fcb5ab0a1c824

                SHA256

                2d0bcc8dce0a65ec302bfe3a49c143ba852d50286893657674c6c7fe73b70bff

                SHA512

                c5ce81ed27a8a4618b14560d97c1022b7a0156f8acdf883e9a8cdfc94c1edbbc76fed52fb5eba67af57dc3e5d269bfa480878da5d78108e9dc0392928d490ad6

                Download Submit

              • \Users\Admin\pueozox.exe
                Filesize

                212KB

                MD5

                6dc86d6d773ee869bc96a4ab56ef1d44

                SHA1

                848e9c36b64694fe425abcf15d97b0026c042246

                SHA256

                75a7d1a21665ac0ab578c16676624470311a502ebacebb66f3be47c873615d1f

                SHA512

                d651b68cb8d9e3de88aadf1c1fb9e7e2b90522e6e4d167f2c562e52d5bbf448cb013b5c26829f1cfd7e126559fee97a6faccb16fd6e8b7fd93fa9da92e3717b0

                Download Submit

              • memory/336-144-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/336-142-0x0000000000A30000-0x0000000000A31000-memory.dmp

                Filesize

                4KB

                Download

              • memory/336-135-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/336-115-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/336-116-0x0000000000A30000-0x0000000000A31000-memory.dmp

                Filesize

                4KB

                Download

              • memory/864-162-0x00000000008D0000-0x00000000008DB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/864-158-0x00000000008D0000-0x00000000008DB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/864-156-0x00000000008C0000-0x00000000008CB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/864-152-0x00000000008C0000-0x00000000008CB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/864-147-0x00000000008B0000-0x00000000008B8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/864-146-0x00000000008C0000-0x00000000008CB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/1264-109-0x00000000029F0000-0x00000000029F6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/1264-105-0x00000000029F0000-0x00000000029F6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/1264-99-0x00000000029F0000-0x00000000029F6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/1264-102-0x00000000029E0000-0x00000000029E2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2824-40-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2824-55-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2824-54-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2824-52-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2824-48-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2824-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2824-44-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2824-42-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/2844-90-0x0000000002A30000-0x0000000002A70000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-124-0x0000000002A30000-0x0000000002A70000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-100-0x0000000002A30000-0x0000000002A70000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-98-0x0000000002A30000-0x0000000002A70000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-94-0x0000000003800000-0x0000000003801000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2844-66-0x00000000020A0000-0x00000000020A1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2844-91-0x0000000002A30000-0x0000000002A70000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-92-0x0000000002A30000-0x0000000002A70000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-93-0x0000000003250000-0x0000000003290000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-121-0x0000000000400000-0x0000000000447000-memory.dmp

                Filesize

                284KB

                Download

              • memory/2844-123-0x0000000002380000-0x00000000023C7000-memory.dmp

                Filesize

                284KB

                Download

              • memory/2844-97-0x0000000002A30000-0x0000000002A70000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-125-0x0000000003250000-0x0000000003290000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-89-0x0000000003240000-0x0000000003241000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2844-87-0x0000000002A30000-0x0000000002A70000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-86-0x0000000002A30000-0x0000000002A70000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-79-0x0000000002A30000-0x0000000002A70000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-72-0x0000000002A30000-0x0000000002A70000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2844-71-0x0000000000400000-0x0000000000447000-memory.dmp

                Filesize

                284KB

                Download

              • memory/2844-70-0x0000000002950000-0x0000000002951000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2844-69-0x0000000002380000-0x00000000023C7000-memory.dmp

                Filesize

                284KB

                Download

              • memory/2844-68-0x0000000000400000-0x0000000000447000-memory.dmp

                Filesize

                284KB

                Download

              • memory/2844-67-0x0000000000400000-0x0000000000447000-memory.dmp

                Filesize

                284KB

                Download

              • memory/3056-28-0x00000000032F0000-0x0000000003DAA000-memory.dmp

                Filesize

                10.7MB

                Download