Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

965c28adeb...be.exe

windows7-x64

8

965c28adeb...be.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    965c28adeb669aa74549e117c176e3be.exe

  • Size

    1.0MB

  • MD5

    965c28adeb669aa74549e117c176e3be

  • SHA1

    70b5f0583a2973219f9b187e2bed8404be5aeb3a

  • SHA256

    9e1ae3b4e55a48aa40649622e37d4322f761c91feb5db2d6620449217cb38fd7

  • SHA512

    99c3de0116ba6847a6a1dc569e3f58a635900a9aaa9e9109a968d63f0c939cbb7af782d4094aac59b2b6abfc5530844b9c6fcfe9026dc795bafb12b6501bae20

  • SSDEEP

    12288:zKz0viabdAm4EhAhRw95PxS0mVEwe96AkzCdcH8uSS64tBaQsh6DQ+m6brTQS4N8:zE+Amy0mg5kzCxKF26bQSsTzs7

Score
8/10
aspackv2persistenceupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 11 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\965c28adeb669aa74549e117c176e3be.exe
    "C:\Users\Admin\AppData\Local\Temp\965c28adeb669aa74549e117c176e3be.exe"
    1⤵
    • Adds policy Run key to start application
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\SysWOW64\dtxservice.exe
      C:\Windows\system32\dtxservice.exe -atm
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4252
      • C:\Windows\fps.exe
        C:\Windows\fps.exe /stext C:\Windows\fps.atm
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3660
      • C:\Windows\CRSS.EXE
        C:\Windows\CRSS.EXE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2996
      • C:\Windows\iss32.exe
        C:\Windows\iss32.exe
        3⤵
        • Executes dropped EXE
        PID:868
      • C:\Windows\mps.exe
        C:\Windows\mps.exe /stext C:\Windows\mps.atm
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\CRSS.EXE
    Filesize

    13KB

    MD5

    067c3c377e0346290862dc8791e81fb0

    SHA1

    9a4d3a6ad5fd102eb32a6f1229c80c15dc495409

    SHA256

    18cbf1415419f9f27425cea06c32e9a2f041ec52a39d78d58922efbb698b9d76

    SHA512

    0c0f0a1e4144accb97d159096cbd4003e77ca0ac792727002c2fe402dc12471a16e90ae3622f1f96d25a333af36a4dccbe80a6689bed080ba32e28dd845960aa

    Download Submit

  • C:\Windows\SysWOW64\dtxservice.exe
    Filesize

    10KB

    MD5

    a34e40eef9a5babf10b532916b5da83c

    SHA1

    618481c13d695e9f80a6a59196ee63b2fabb1532

    SHA256

    ffc3ad27a0772f990ca7142a9a70f1073fb1b7712a642cf269460fb9209f8191

    SHA512

    fa4dd73f2f8dbf5f5bef7d9e274885ea0f02a8334008fe0e159a3bf9c28c825d246ae39ff2d606e4a75c170381d991eda52ed119b99192ab5a4b0994a3576e3e

    Download Submit

  • C:\Windows\SysWOW64\dtxservice.exe
    Filesize

    9KB

    MD5

    5c2bbe341a9028f5b7ba3369a926f51d

    SHA1

    6d8632e136ceee52f4040972c660caa88fd4afac

    SHA256

    04b2441fa3bd589b346cbb52c532fb48bc8e67fbb7b7bb5f1a4992ed68e9cab3

    SHA512

    ab97430dbbe2f10f4ac3a92000cb5b281d836c88c89aed91d2daa6d9804bb3fa5892ef3b53f602fafb1134a14d4d9865f12b29295d34b3b2f1896bef7fe7520b

    Download Submit

  • C:\Windows\fps.exe
    Filesize

    14KB

    MD5

    16d0b87ea242e563ccbf13fbfc279915

    SHA1

    a56a456b48f5318ca57cce4d75e2f0e3493850d4

    SHA256

    1a4cef71598d42e1765c89fa5f0d91141e313c89d25418d7dc5e2b4b9bfc07aa

    SHA512

    ee9b92a5c17bcf17812d18bb9f0e993537a9a1c1bb4938442aef9005046c4547be61380cf5cf01c7a710b07d5d0e116a4a8e8263d3ad73fef1e0c1de196f6cc0

    Download Submit

  • C:\Windows\icq.dll
    Filesize

    7KB

    MD5

    07fbfe41f346165ddf49ff1a0efac0c6

    SHA1

    10355863e48ab258fcd9e2db2218d717b9b95d5e

    SHA256

    fbc2717905a942d8489c66603c03ffcc94e7b643caa3e343a7b4d4da5f115093

    SHA512

    2893228f10fb1c41dcafe4132d25e9cf42af608168a5726961e0030334dd57e697d99998032bb50710ea27463fb6c9899341b0cf2a004bedac7cbb0aea00a2e4

    Download Submit

  • C:\Windows\iss32.exe
    Filesize

    3KB

    MD5

    d36a7e657fb830da92a59bccb67948a5

    SHA1

    730d2499b9ffffa7a3e29b9f973728f2c9547827

    SHA256

    0f855337f81800b5df27abd91f85c9a4187ac553e0a65b2a9719d5db1df08b39

    SHA512

    0a24a2f87fcf35937520bde130862af7f40b3fcb29c8f09a197faa5e11a33b7db35b765b2494f719b28ef51060add5324aff441a825a3c87287fa64665e140c8

    Download Submit

  • C:\Windows\kdd32.atm
    Filesize

    8KB

    MD5

    51abb91f79fc8057f9ac61877fb480d5

    SHA1

    42790a05bb6cc05292977d70bf9ae60350aca1d7

    SHA256

    6bd988e0c55f611e20ff740c76870dc892505725e9852580fe23bade1a8978fa

    SHA512

    4b115ec069cecd082e72c5728aab8902ee018705ed9ad11731e47efd0f6d5d8e2412485d4713cb4ab20bfdd3d03f5919b2bb60a361af6ac69e7566a4fc015413

    Download Submit

  • C:\Windows\kt.atm
    Filesize

    29B

    MD5

    d4d0a66ac4c1820c90f62f77099b547a

    SHA1

    c8f96649ec9865804efc925472b931005925f3ff

    SHA256

    997394c51fb18768bbb7a8e6cfe7bdec1efa0bdd82ed3507f3f1cc46ab459ff1

    SHA512

    9ab9b7d786bdbd2e5bd596060930c64ee1496cbdf423bd283fbecee13501adeb149d4aa7290d410dd153a255ef6513e6a8356a88740efa4badb3190fb5388ebb

    Download Submit

  • C:\Windows\mps.exe
    Filesize

    17KB

    MD5

    4bad43105d4d557ae90d2f094e4bb833

    SHA1

    1d80ae0e7806c6cb2425131604373acb62ef8991

    SHA256

    918d1c42a73d79c4296f8fe3683070803916df4f5a236e84aabf665215e266e2

    SHA512

    278a11bb0fb2f17b91e1dc63d6b9a6376c332a41fdcedcd55d96b208b39b769e7edd1f41a614a80e24f409ba098a06b3da6848a6ab9ad0ff37e5154376ef681c

    Download Submit

  • memory/868-25-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/868-26-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2996-30-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2996-41-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3164-21-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3164-20-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3196-38-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3196-0-0x0000000000720000-0x0000000000721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3660-16-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4252-43-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-58-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-5-0x00000000006E0000-0x00000000006E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4252-42-0x00000000006E0000-0x00000000006E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4252-37-0x0000000010000000-0x0000000010009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4252-46-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-49-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-52-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-55-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-39-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-61-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-64-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-67-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-70-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-73-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-76-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4252-79-0x0000000000400000-0x0000000000514000-memory.dmp

    Filesize

    1.1MB

    Download