Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1a922971e8...3b.exe

windows7-x64

7

1a922971e8...3b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 02:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b.exe

  • Size

    843KB

  • MD5

    a194de24dfbba6afe8153b8a7d593e7e

  • SHA1

    dd9e65550462722c10a07a6018ddc3fade4b1406

  • SHA256

    1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b

  • SHA512

    4f702036655b07112ccd9effc1602b92e1ec08edfe32a3ff649423a0ee6cc9a7897fb1404c13a3569e1bf1cd3d9d341d5f179038bb4c3f769c4472feb5567e20

  • SSDEEP

    24576:yxYS04YNEMuExDiU6E5R9s8xY/2l/dqLc83oIbt+ri:yxA4auS+UjfU2TAt3oIbt+r

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b.exe
    "C:\Users\Admin\AppData\Local\Temp\1a922971e8d5fa8744a85a508a90d81b5d7fa6b024400af40ca29433dc2da43b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    Filesize

    507KB

    MD5

    68b1736ab8392cee92f10ba3ab685be0

    SHA1

    08d6cfe494fad26dadc8993811ad55a4bc80d89e

    SHA256

    9a12b935d625e6bf97a1117c666e7610612f199e39b1aab2cd81917c3917bf16

    SHA512

    72dc81cba3fe82b6dbbbeb6717e1d353d4d792a18d8373033d34cd15cd78bdae2194b8b728ede74e10ae043c8fe73d9ab179b778fb039fd8d855d23421ffdfd5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    Filesize

    257KB

    MD5

    3e53abf7e68cb4d640977d492349531d

    SHA1

    5aaf341109ebd893d6e256c7c71a34dc7d38a16c

    SHA256

    ec0c656288ca86f2ce40e3d3c08c777f3ab3e4a4f6bb284986327dedd496b62e

    SHA512

    d4d18989882179344bef3f41f0e4d642e5c26e4df32313be6a1303e7d12f1054ac2e89b7f5bbc76eb17706ffeefbd57dc8a2f65a176e762687bd162c8e6b89dc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    Filesize

    315KB

    MD5

    9062fc4a7afb2a087a75963b7d6dbf3c

    SHA1

    2fa9d8350b101dd1ac97ff428bbae446d96435e9

    SHA256

    89fc2cd40109f55c166dfe270feac8cb27ce33c86ac2e35fc5e3262e121266b8

    SHA512

    fbc9ab4319929add9599a3c0b6580dcf50d8be889066b21b295e8bcb54919e51a745314477c43528e060a11038dc715f979abd077f9fb7939f7a5d930f21a41c

    Download Submit

  • memory/3392-25-0x0000000005FF0000-0x00000000061B2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3392-26-0x00000000059A0000-0x00000000059B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3392-29-0x0000000005480000-0x0000000005490000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3392-28-0x00000000751B0000-0x0000000075960000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3392-27-0x0000000006470000-0x000000000647A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3392-24-0x0000000005480000-0x0000000005490000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3392-23-0x00000000751B0000-0x0000000075960000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4540-2-0x00000000052D0000-0x00000000052E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4540-1-0x00000000751B0000-0x0000000075960000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4540-3-0x0000000002D20000-0x0000000002D2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4540-22-0x00000000751B0000-0x0000000075960000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4540-10-0x00000000058B0000-0x00000000058FE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/4540-0-0x00000000008A0000-0x000000000097A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/4540-4-0x0000000005A20000-0x0000000005FC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4540-7-0x00000000057D0000-0x00000000057D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4540-5-0x0000000005810000-0x00000000058A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4540-6-0x0000000005770000-0x00000000057BC000-memory.dmp

    Filesize

    304KB

    Download