Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9850fa2456...46.exe

windows7-x64

10

9850fa2456...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9850fa2456882c05ddd195c79da82346.exe

  • Size

    55KB

  • MD5

    9850fa2456882c05ddd195c79da82346

  • SHA1

    627721f9330713f7294d36c5edac4b011a99777c

  • SHA256

    f893fac6b6a48c5d27ce5665c1174a3c99dc4ba326e57dce71aa7976f9630ee6

  • SHA512

    a15d41a7877d84fdcba09128da8e4503d3ac7d2a4eeea327a6b4d5d95f6a200da71867ebfa2256aafcd9460fc87471239e26fa63882626af2534281acd3bf7fa

  • SSDEEP

    768:Oe3PFaDVyOQgljLDKRJyM3BmsHzSB4us/wJJapg4RoSMZeUZB/qmUuu07dgPVO6O:V3cpyORJLuB4P4AJJv4Romu/DUuHBgY

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9850fa2456882c05ddd195c79da82346.exe
    "C:\Users\Admin\AppData\Local\Temp\9850fa2456882c05ddd195c79da82346.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Checks computer location settings
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:60
    • C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" "C:\Program Files (x86)\Microsoft\ie13\Internat Explorer" +s
      2⤵
      • Drops file in Program Files directory
      • Views/modifies file attributes
      PID:4696
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp.bat" "
      2⤵
        PID:1716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nss4112.tmp\System.dll
      Filesize

      11KB

      MD5

      00a0194c20ee912257df53bfe258ee4a

      SHA1

      d7b4e319bc5119024690dc8230b9cc919b1b86b2

      SHA256

      dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

      SHA512

      3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp.bat
      Filesize

      186B

      MD5

      bd0a2e589dccc9ed26ef7aa18fb70f5c

      SHA1

      fd780c30a3e143aaf8a23eef50fbbe3239a1983e

      SHA256

      62a211ece64d3bee8d6a5278754b1315d45737613b219bd5eccf182eee256c1d

      SHA512

      a696367051cc65b3ae3240b1f949d95c2d8b6c9089394bee4a536ff5d20e02b25b2b0701c782821d53401a50a005c5269ba8ee69cd4b2303e48be37664b977f4

      Download Submit