Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

App.exe

windows7-x64

7

App.exe

windows10-2004-x64

7

Freemasonry (2).exe

windows7-x64

10

Freemasonry (2).exe

windows10-2004-x64

10

Freemasonry.exe

windows7-x64

3

Freemasonry.exe

windows10-2004-x64

7

NisSrv.exe

windows7-x64

10

NisSrv.exe

windows10-2004-x64

10

Presentati...he.exe

windows7-x64

1

Presentati...he.exe

windows10-2004-x64

10

SecurityHe...2).exe

windows7-x64

10

SecurityHe...2).exe

windows10-2004-x64

10

SessionService.exe

windows7-x64

10

SessionService.exe

windows10-2004-x64

10

SgrmBroker.exe

windows7-x64

10

SgrmBroker.exe

windows10-2004-x64

10

SocketHeciServer.exe

windows7-x64

10

SocketHeciServer.exe

windows10-2004-x64

10

cmd.exe

windows7-x64

10

cmd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 09:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    App.exe

  • Size

    2.9MB

  • MD5

    d6655c8f5158766bf2e91da966403580

  • SHA1

    85da9aa520bee8965af536347a1c05d54b6410fd

  • SHA256

    5a7bce33bbc1301553999bbd79747e8cef41dfae07e95474bd61cd5ae501f326

  • SHA512

    f2bf55cac91325c99372609777cfd08d0510b59886055b3e436dbedffc84dbf45ba237593cf2399f1795279a7df412a4a7ef73dce5b6abc9dfdb3f0b5bc4e6c5

  • SSDEEP

    49152:XnQT/qnwwnZQKuvYSKU/ESvdaU+c0/IVes7kJXBjYOMjUfkptVxOdxiy:XQTdwnBgYSKU/xvzg/IVeMjUu5

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\App.exe
    "C:\Users\Admin\AppData\Local\Temp\App.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Users\Admin\AppData\Local\Temp\jdk_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\jdk_installer.exe" /s /L 1033
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Users\Admin\AppData\Local\Temp\jds240653593.tmp\jdk_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\jds240653593.tmp\jdk_installer.exe" "/s" "/L" "1033"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\LZMA_EXE
          "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\msi.tmp"
          4⤵
          • Executes dropped EXE
          PID:2596
        • C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\LZMA_EXE
          "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\jre1.8.0_391.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\msi.tmp"
          4⤵
          • Executes dropped EXE
          PID:2040
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:416
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7CA03402E05271F59FF9A5848A865C5C
      2⤵
      • Loads dropped DLL
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
    Filesize

    471B

    MD5

    2a12175652740bd6dd01bd5ca7c9e5bf

    SHA1

    754124bc89ba7cde8ef7dec80608e1c00416920b

    SHA256

    463df6c55eae64b5e22fbd1e75f0d4f5947056a841378f3d70bade7bf8a808fb

    SHA512

    23652b4d130ccd1e71596ed009451fd19c3e0e2062f0886ccdb9430c8d2518a335d072fb903203fd9234d58e97d90a10ef0b548cd14c769b1489939ce6d03361

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
    Filesize

    727B

    MD5

    fce918e4e989b35ed39f5ff69c88b765

    SHA1

    2e66d27d1246c9e544edbbf3c53d28e969b384ac

    SHA256

    484b9870c1eab06d7b97f02267ce51d58770cac1f2184f82a62ef0cbe02b6886

    SHA512

    e21e272c89fabcec062c65904208eec9530db553469786cfd497782cf5a62027d9996054fe7f4046822330fa7a11df878df715059408ce5c9b605d4701af34b9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
    Filesize

    727B

    MD5

    0c318f7ef14f60dba06102f3d054bf80

    SHA1

    22d18a581d5e0fd205072c6e2a0cd611f5528946

    SHA256

    8c4b15c1c2c35e9f90c88d0583c97b7b841d2baf67d11b53896dfaf9beefa029

    SHA512

    e1b2920cc3f7527cfa51093c63b97d0ce3d42046f96a9948ee5d6a00266ed7956ddf67527f16c67f1777ef56fe4f649a837433e2168d3499a3fc736513fd976c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
    Filesize

    400B

    MD5

    3178323a71bfa713a63323b5db7ecc30

    SHA1

    4b80f035d4eafd4a7e24196f5985a9ae3d1ba5a6

    SHA256

    7506f19e1077bd15ccbe2aa9435c8632cf2d4412bfb5a051fcb92335e461a73f

    SHA512

    ff90fc33960e3326594a7f40aa67d1086546e76fb2f7646dccf4b9bf750d0455ef155720f045bcf69f15b3c39e09354e12b8fb3525254e070353e35ede1fd334

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD
    Filesize

    412B

    MD5

    d4357f728113e93f0d1d17f9abfa7d59

    SHA1

    7f13c7dd91353a3e1ad78ce578697710f855f656

    SHA256

    63f19c92982e9e23e2ee0c0b5a2ab6bccd104fcdbb3767bfdc03f39a72e7eb4f

    SHA512

    a3a86b5c6e76ce8f31a39ad8cfaf3adec8eb3dca528a635c092e1728fc3fe0c6cf740621e3d78a76057a8a68e9eb3877123b1363071799807431fa24a57219ef

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
    Filesize

    412B

    MD5

    a0faf9b0143c6b09382f84ca8f01dcce

    SHA1

    f664869f0930f950b8147ab3f7258198c466cabd

    SHA256

    aa22efa523e7a96cc0f5a5601751c09f43ffd0de2367888a283f71e617589120

    SHA512

    36368259cd961496ecde894656fbe92fab540ea6b9cc62b5b9accc8682ff6104dc5cc35998c927e93ef1379aa5c822e7d14e473243d82781d7a7fd372cfc0896

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\LZMA_EXE
    Filesize

    142KB

    MD5

    3842c46f2fbc7522ef625f1833530804

    SHA1

    3615c072ad5bdadba5e5e22e75eefaf7def92312

    SHA256

    17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

    SHA512

    9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\au.msi
    Filesize

    854KB

    MD5

    88829905dcdde506d0c1471b0195050d

    SHA1

    dc4fcd2ad4ff3dc6c36aced5511f586fb120a230

    SHA256

    60d424c4de000e7563fbf9392ac58b0f25b9cf5f7cb22f0065f52b22663eb2c3

    SHA512

    98e315e35988474730290ad59e45148a9c75e1288d3626bfd63df9e8b9c5e934d6889ec26a824093630760a4a0d48dffada0e1e24b2b005c9050c77603a83507

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\jre1.8.0_391.msi
    Filesize

    54.3MB

    MD5

    b9202c07e9700128f3344f87a9b5d653

    SHA1

    804cbbb42250fcd616df483d95c3cf6c679ee4eb

    SHA256

    5c75ebc1030e1a72dc560f3f765c4ef928a105f95e007b8007196d1b274e8eff

    SHA512

    e3d86c128ceff09522efb5ec52396e8329eb8490d177c4ef27f92ecc6b3924f1d3bd7b5970875d62232bf9c7e9c26485f757264e685b1b6396ec6033a529a046

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\msi.tmp
    Filesize

    1.0MB

    MD5

    30c344d8cb167b34256ceaebf8bbad3e

    SHA1

    d21c34641779e89085978d33e140ced8b8280510

    SHA256

    deb4dbe677dea94f79e15a66895b8b13e8a9c875cf74c0a51ccc87d268bcc3fb

    SHA512

    f9dc7badc8173f21a4e3886f236e662cd7bb9673b508c87885928ae99bffb59aad0b2bd32c68bc71ba5677d9a6f175d31aee2158b0158ecaf5e8badd07ea110e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_391\msi.tmp
    Filesize

    55.3MB

    MD5

    d8c4ec0a595dea3095181442c44e4a73

    SHA1

    6a978b1ee0ffd13fd8115fd1cfdf19b68a2c30fa

    SHA256

    d8ac0f5bbf9c83963fd893345008ba863ff821678d8adfc6a0b3cfd3d3325cc8

    SHA512

    fd73e38fb96e7163da65bb1e8a8caf89efc53ee78281cb7c217710ba277f7cf5f15c24b474ef75fa1cc1ccc2e9aa1fe8fac11c7a26368b60b9bfc2a99ba06c2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jdk_installer.exe
    Filesize

    2.2MB

    MD5

    029ae246a9b5fd436a1b979e5f4aa54f

    SHA1

    4ab915f93bc2ea46eda2fcfbf037b956099ada45

    SHA256

    71d4b153af014ac81576fb91bb97ef6c4640f0486f98c2e4c9bb15b87fb9df58

    SHA512

    6c3140c1d8dca2be8ad8eb6360318a8cef78e4f31fbee635f0870e0d2bb0f1679948da3b98af1282fe8d586f9f7c3d3a82016f522a1d1447b1e59158146caf31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jds240653593.tmp\1033
    Filesize

    1KB

    MD5

    f83822715534a8a2556c1967831c79dc

    SHA1

    869a652119853faf2ebcf2da76a108f756251ce2

    SHA256

    213f3ba3438c4ef9df89564109eaf953fda19b4bb8bbf4101a01c88183a013c6

    SHA512

    ff9c7f63eb1a085e0a47bb2a3ffb858669128de9487cbc2b89dd9e7cfb87fd8118e2f8c18c38a66840e6822f06d545087c7aea31e8e6ad88798bc74b0bfbe05f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jds240653593.tmp\jdk_installer.exe
    Filesize

    1.9MB

    MD5

    75d9ccd961bf6a9a479da2ef26d81b3b

    SHA1

    920f6bf9ec385cab84de5339089946a787c44618

    SHA256

    eadeddda2ca9d88d666ce6614389cdba25f518132e8245c5454b98a09888d252

    SHA512

    3dcfef4cd2c43137977b56931d920b43e86985722e05079863457b5c2ddf433f04be074fc719256fec372932b9f9ab87e7930a0cc8208f322cd0896e18a2cca4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jusched.log
    Filesize

    154KB

    MD5

    b05357687e211f3d3c677a439d3a5559

    SHA1

    349176e9aad79928a62056bc9dfe41a3ed710834

    SHA256

    8ef880c026fdebcd1ea7a5ef3dc1a4abfb7d48ded21b942dabf2d45ae430832b

    SHA512

    9082ded5306ad40d1158090fa162e70a8e89267786a8b6581f1ab5c1d8b012757bba3263b2f4bb33b7de004252b896f7384ced853afde106ee0bffef29805add

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jusched.log
    Filesize

    185KB

    MD5

    3ffbc1708cfd074db8143895c3b158bc

    SHA1

    d752c92673539d6feb22bd39e79a88c5abfd7635

    SHA256

    23482545be310254d7b57f1a29fde6fc5b14efdcaff224ce83ec3a9fca8d8ea9

    SHA512

    1a6634191fe99bcc1a4690643e0f5e9fc64f920f2984f7fd6b8e4c1a93be81f4ce6d80c75016770f5126f449aa89ccbad6379eefa434969a7234720bfaa00009

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jusched.log
    Filesize

    154KB

    MD5

    37021ed4da238938c2bb276da05a4a33

    SHA1

    9aecee3c401e4597efac2170d4190550afb1e3a7

    SHA256

    303c2814b44458c9762639c3167a30f5097ce97f1b8f3f432c1ba9ef3791a3f2

    SHA512

    49d3ae8c1a8bbf469992cb72589b44dcfc61839e10a8decbb4994eab6e56ad31d3d673dad10b60b8aa865fb05a0c9cefc95ae34e2f949e1c414b2a567fc54a4e

    Download Submit

  • C:\Windows\Installer\MSIA94B.tmp
    Filesize

    771KB

    MD5

    aafe9c94ba924bbcfc7cddd69f6e84cd

    SHA1

    4bc86e2f833b39d1e84c7c0f3cfa06ae054f6938

    SHA256

    87e89738e8e501dfb48c8e5af51c02fd24d91fad3249f2d5bf9798a918ac4e96

    SHA512

    ffccf876f5edff516e35b4a8dec264bf78f77895f70f0173591dd001f89a5e8ce60ccda1d08acecf63ab3207f9fb7c8afb44d42be2dc89fb69fcf8a86d3bb9bf

    Download Submit

  • memory/4808-203-0x00000000748B0000-0x0000000075060000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4808-0-0x00000000748B0000-0x0000000075060000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4808-1-0x0000000000440000-0x0000000000722000-memory.dmp

    Filesize

    2.9MB

    Download