Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

4e2e1f3ac5...72.exe

windows7-x64

8

4e2e1f3ac5...72.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    131s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09/01/2024, 11:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e2e1f3ac55c19e9f30f8eb5e962d172.exe

  • Size

    42KB

  • MD5

    4e2e1f3ac55c19e9f30f8eb5e962d172

  • SHA1

    37cb4556fb983bcfe043b04413d7faea5312b716

  • SHA256

    2de69f07a6f6b29d11ada45396474e4186f7dc796a02a957c79f48dc4ae77bc2

  • SHA512

    8981409c69e9b13bf99960efc345e4473198c87cc23b1590ecb5a9524572c85e47c4a19c4cef06b2f017fea442ba91e7750b496c5653fc2958d7abf37a4bec3d

  • SSDEEP

    768:aYbywQ/j4ebRLNAYfQIVR8xS5auCo2Wc8TBxBzHFf4Oefx4hcldZPJUqycgLHY:SMGdNL4IVR8xS5aurhdHrh0dZxqx4

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e2e1f3ac55c19e9f30f8eb5e962d172.exe
    "C:\Users\Admin\AppData\Local\Temp\4e2e1f3ac55c19e9f30f8eb5e962d172.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\Fonts\svchost.exe
      C:\Windows\Fonts\svchost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1508
    • C:\Windows\Fonts\sys
      C:\Windows\Fonts\sys
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del C:\Windows\Fonts\sys
        3⤵
          PID:2960
      • C:\Windows\Fonts\cmvd
        C:\Windows\Fonts\cmvd
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        PID:752
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        2⤵
        • Loads dropped DLL
        PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\DEL.bat
        2⤵
        • Deletes itself
        PID:1408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\DEL.bat
      Filesize

      182B

      MD5

      9542d4c7ac8e1ba543a61952b5cb7cd2

      SHA1

      91cc1cb364a761337935e99546d379db5892a19d

      SHA256

      321612956a4cedcad9b71ebda90aea222124af71aef64a50317c689f6ef44d7e

      SHA512

      6ab46d7a670502d0cc6765492f96b9b158fbd1fb627b8f758149a228300e96581167c968c5a74d19c57fb927d7e47825715a574c8d308d1ebf8db9009a1a415f

      Download Submit

    • \Windows\Fonts\cmvd
      Filesize

      12KB

      MD5

      a9183e73dde5835593abd4761c73c1b4

      SHA1

      146985905b167b730b16aa8cb9a8aa8275ae89c2

      SHA256

      74081a6cbae959c4c0d1c967a6fdb313ba62ffdaeabd6d14fcd64d31e82ec297

      SHA512

      227f00037d3a8ef030e71892de7821c4d0c4c34cdd8db92f93e2fe0fbc6841520c92bf322456132ef17b61d19a43c2c334d3b644befa5700f00914e2a50e7161

      Download Submit

    • \Windows\Fonts\svchost.exe
      Filesize

      5KB

      MD5

      9b8cffa5abe8350d9d9d2af54c851e50

      SHA1

      7adb7ef3bec64528806a327e70026dd7df11e8f5

      SHA256

      6967469c99439ead9abf03f1fd3ac0153d4ef7f1906739fa75df45c2e67a3bec

      SHA512

      a14c60a193b65e29f2c2c4580287d3d82371fb4b4a78fe1f68a39e2c1badff02bbecececa987cff92182d7ba6c4f3ce64e975fa7ce08197a5bf41942ba26ff7f

      Download Submit

    • \Windows\Fonts\sys
      Filesize

      1KB

      MD5

      f4ed1044cc0d6cc42e440711fb793351

      SHA1

      32c7448eb4c5696b3c15322ddd9106e42eb22c10

      SHA256

      5889649d626751af6b05482ecc398a02d453467f10fdfff2b94e50c85866488d

      SHA512

      47d8a728bb18c1b8acdf1dcc9e66e9093bf332368ea202c21a00d9bb17983f83dbefab9ee1e0baee7f4be236de445f0ff83c9b4a69ca6055d1916df4c75b5e78

      Download Submit

    • \Windows\SysWOW64\dbwozuyb.dll
      Filesize

      13KB

      MD5

      015a4e6ca2f0595f57d51aaa77744746

      SHA1

      773c3cd62352264886c34e54b53bf4acdcf4432a

      SHA256

      095f63cad6c7eb7f4b7a51e718e5f9debb48d1733121220d6c32fbda48cb1406

      SHA512

      1e4d72353a845361c304a222e59838d9f0c2f025e12444f6f8ff8d9055af33b86ae22dd698154fd7ac6f906a7c985426629733d98bc71740a02a4c92b2734578

      Download Submit

    • memory/2948-29-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2948-40-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2948-41-0x0000000000020000-0x0000000000030000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-43-0x0000000000020000-0x0000000000030000-memory.dmp

      Filesize

      64KB

      Download