Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

4d739f388e...06.exe

windows7-x64

7

4d739f388e...06.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09/01/2024, 05:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d739f388e6c419f7a9921e7ebed2806.exe

  • Size

    108KB

  • MD5

    4d739f388e6c419f7a9921e7ebed2806

  • SHA1

    790d22ec116bef03768e6e3a80ccb4ad0a8e199e

  • SHA256

    8feac925008ab1d2cef9258c93687131223d65c129e94d75356890e6450f9ae6

  • SHA512

    fa3e46451508995b2baa67b8da68a91d7b0904f156c8601214055970175edf582978b275330659e930a4b4c8f2d0db2aab2d5413d410dbf678ad388c4217f0b6

  • SSDEEP

    3072:X/oGZiJ11Yn3VVbMq+cfg3eNssucg7J6vD:X/osODYn3VVbMCggEYvD

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d739f388e6c419f7a9921e7ebed2806.exe
    "C:\Users\Admin\AppData\Local\Temp\4d739f388e6c419f7a9921e7ebed2806.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c net stop sharedaccess
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\net.exe
        net stop sharedaccess
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop sharedaccess
          4⤵
            PID:1640
      • C:\WINDOWS\Fonts\uctdate.exe
        "C:\WINDOWS\Fonts\uctdate.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2676

    Network

    • flag-us
      DNS
      download.uusee.com
      uctdate.exe
      Remote address:
      8.8.8.8:53
      Request
      download.uusee.com
      IN A
      Response
      download.uusee.com
      IN A
      117.78.42.51
    • 117.78.42.51:80
      download.uusee.com
      uctdate.exe
      152 B
       3
    • 8.8.8.8:53
      download.uusee.com
      dns
      uctdate.exe
      64 B
       80 B
       1
      1

      DNS Request

      download.uusee.com

      DNS Response

      117.78.42.51

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\Fonts\uctdate.exe
      Filesize

      44KB

      MD5

      8abde00f602025b7d5b4147571cbbe7f

      SHA1

      910fa81ee799cd59c3d8b7c2e98a7150e75a1272

      SHA256

      990dbdc3bdef9007e876cb492d0c3673ea8aa13e7c64d553bc1d47a942a35b8f

      SHA512

      17f014218b4a8d988c36c5f3c57f9adb082e4eb80f81f1e793d168898d5891cb41012fe6fbf81a5f811f0b72ffc289c295334225bfe4a168ac5a933ab0e60c44

      Download Submit

    • memory/2104-0-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2104-13-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.