Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ab7a3de713...f2.exe

windows7-x64

10

ab7a3de713...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab7a3de7135318c2263530b855a14ff2.exe

  • Size

    452KB

  • MD5

    ab7a3de7135318c2263530b855a14ff2

  • SHA1

    0772f238e91d06a36c1fc3705a1cf6e65e14739b

  • SHA256

    9a351bd7f2a3ef4b58c2e54b4bc43bbc2d1dd41db7d2787c2007b58b570cb73a

  • SHA512

    13424cffe12a21b0826bab06cd7c73835c5346929604857285e7e0da7d1a63b1fe5d87e82f203ef9c1e5ab2024bf2e4826e3b741f922089a40c707c0f0d98903

  • SSDEEP

    12288:9YU476vtic2xSNc8DtoQRWIvf5qZ4KAlPfEOX:2utj22c8RVWFZ3ARsOX

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab7a3de7135318c2263530b855a14ff2.exe
    "C:\Users\Admin\AppData\Local\Temp\ab7a3de7135318c2263530b855a14ff2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Users\Admin\jm9su7UE.exe
      C:\Users\Admin\jm9su7UE.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Users\Admin\maahuas.exe
        "C:\Users\Admin\maahuas.exe"
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5024
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del jm9su7UE.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:892
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4988
    • C:\Users\Admin\auhost.exe
      C:\Users\Admin\auhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Users\Admin\auhost.exe
        "C:\Users\Admin\auhost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:720
    • C:\Users\Admin\bqhost.exe
      C:\Users\Admin\bqhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:3436
      • C:\Users\Admin\elhost.exe
        C:\Users\Admin\elhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3056
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c tasklist&&del ab7a3de7135318c2263530b855a14ff2.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1660

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\auhost.exe
      Filesize

      60KB

      MD5

      0ce1e9a2bc7b4a2b10a847acace8f337

      SHA1

      7698c4d822146dd757c6b39bdcec8d443860c099

      SHA256

      1fa5dca1771d75940cd5364edb358d914baaefdc56f2d21d573bbce22d41b205

      SHA512

      6b0be69db960889d5be8e89e92c7e3c82fa07430ebf16ad1d2fb77ad1a23d0358c0f7e44f75d16da2722abc4998cba88f6b08090b3a4b7f8b1400ae6001a1bb7

      Download Submit

    • C:\Users\Admin\bqhost.exe
      Filesize

      260KB

      MD5

      880ec3876f5d5687be0f9099c1d629ee

      SHA1

      6b6e56229204e16285f44684a4fa904ded59beef

      SHA256

      d65d3acf805651b38ec3c6eee1fb4efa83824fdd7e407495cdb9f6ad9b8e0c7d

      SHA512

      2fa67fd0e315ea45ea2e54afcf42ff3795b5a64326470f7bb285adb8e840ba68de02fb1d518bc34d94067b8ef7d5e2865718fff9a805193c2b6f128d546f6434

      Download Submit

    • C:\Users\Admin\elhost.exe
      Filesize

      48KB

      MD5

      82cd7f18c0c82c6c4228033a8dcaef8b

      SHA1

      66f78542b3ee762e4b189f658f37d01dbf0aff43

      SHA256

      18ec72076fb151ad97aeaa5e18d357aeb77c405dd867703e6709b9ede40cb237

      SHA512

      f9306ced3be80943b19c4fab575f1070bee46f9c049de988e9ec737ce6b320c66c82eec9a2cbed8f598514da2a21459bb7c25d514173afd566cd76d97a070142

      Download Submit

    • C:\Users\Admin\jm9su7UE.exe
      Filesize

      212KB

      MD5

      e533f129e341c16a690960697fbb5c27

      SHA1

      c1c945168f49e1e312b77f518e1fcb5ab0a1c824

      SHA256

      2d0bcc8dce0a65ec302bfe3a49c143ba852d50286893657674c6c7fe73b70bff

      SHA512

      c5ce81ed27a8a4618b14560d97c1022b7a0156f8acdf883e9a8cdfc94c1edbbc76fed52fb5eba67af57dc3e5d269bfa480878da5d78108e9dc0392928d490ad6

      Download Submit

    • C:\Users\Admin\maahuas.exe
      Filesize

      212KB

      MD5

      dfe630af2b8183520179bd58a5900990

      SHA1

      4c6dfe1b6ad0482b4f4899b9c37095144abf22da

      SHA256

      af40fb6fbc38f882f608cb8d6072f42858752e5231745a7b2a6c6522094cc44d

      SHA512

      f33bcb9c8b1b2144cf746015661953df1b1a2bbe6bc8e95d510679329d0da05ab3052e501999472871c6ee2c4d6eda863ab22bd5ca4c45d83519678ccf898f42

      Download Submit

    • memory/720-17-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/720-20-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/720-21-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/720-23-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4980-57-0x00000000024F0000-0x00000000024F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4980-59-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

      Download

    • memory/4980-60-0x0000000002840000-0x0000000002887000-memory.dmp

      Filesize

      284KB

      Download

    • memory/4980-61-0x0000000002D10000-0x0000000002D11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4980-62-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

      Download

    • memory/4980-66-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

      Download

    • memory/4980-67-0x0000000002840000-0x0000000002887000-memory.dmp

      Filesize

      284KB

      Download

    • memory/4980-58-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

      Download