Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

59980a5a34...35.exe

windows7-x64

7

59980a5a34...35.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 22:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59980a5a3472e8737e7a72f870061235.exe

  • Size

    112KB

  • MD5

    59980a5a3472e8737e7a72f870061235

  • SHA1

    be0577e79663df03a2e5cf902f283029d0fd1940

  • SHA256

    f584c54ae63e4dde92f8da1d098a0ff3f1c1dd263041e8d45fa88dc809bdfa19

  • SHA512

    081543a783ce8b6081bd2c1747ee92cf20bdb6a802af77656d7a85cae59364fe90b78833284715f8aa659e5384c710b2ebd46e5fe2458a70b25e2e22e2ec68b9

  • SSDEEP

    1536:RCyqWhBVC4LN0IqxxSWtn69X0CJDwXwlFoE4nO:0y7BVVLNbqxxTt69kKUMFoEt

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59980a5a3472e8737e7a72f870061235.exe
    "C:\Users\Admin\AppData\Local\Temp\59980a5a3472e8737e7a72f870061235.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Windows\SysWOW64\KartSvr.exe
      "C:\Windows\system32\KartSvr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:3528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\KartSvr.exe
    Filesize

    24KB

    MD5

    4fbfed4d1fdc5a71277f9df2be8385d5

    SHA1

    314b0dc2da7d78cfb66312725b6380dfa100d295

    SHA256

    a6eee971554e97fd03d0994e84ce73bed3093d7251acf8748f7f9091f1558007

    SHA512

    82fb106024cdf58c4a5cc24e51c83c092e20978436c75b5c16171db60d2074b9bbf53a7b594d70f157477badf9a36c64bf1512ce87c3a4052cd933f094d5e0c4

    Download Submit

  • C:\Windows\SysWOW64\karnel32.dll
    Filesize

    64KB

    MD5

    8d9047175ee6b511ce951a07621a54de

    SHA1

    4a7525c8cb7f89d4228e26504557baf714ee9dc6

    SHA256

    984bf5c1a531ba1c0f55316383dd0b9b91f0661f350b90c96f60b311110de237

    SHA512

    dc349e9ef53c927e7840d5aa91255a2e92d440c56bd4075af76eb002ec2dab2c01f5839dc3c9eb99be9e7e5db3ad6e40f6690f7180f764cd9e59bbb01bfc2fc8

    Download Submit