Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

c9df8ee829...50.exe

windows7-x64

5

c9df8ee829...50.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 05:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe

  • Size

    716KB

  • MD5

    95269aceffe9ce44698b97ae89f6909c

  • SHA1

    e666771f265fbe6ffb19726def6dcb333ab8cf7e

  • SHA256

    c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150

  • SHA512

    4bb88004d72c57fb0d27cd5dece1a02cd56fbaff968a1e3bf10b0f7a3bbf98afd0cb7171664d5cda28835d8f90a6d52cab70a335091fee5c49947dc6258d8f47

  • SSDEEP

    12288:x4EzqHKMbNrpZ4ZQtsLWhI7xjuNFU9J4rjmmbC+nulxpUuVxpSRxD0DN7MTlMxov:xrz87bBH4pLyYuzMe2x+uxBpSRuN7MRT

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe
    "C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oRwcFTVBKGJFE.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3076
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oRwcFTVBKGJFE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2853.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3332
    • C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe
      "C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1624
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 184
        3⤵
        • Program crash
        PID:3500
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1624 -ip 1624
    1⤵
      PID:3524

    Network

    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.178.17.96.in-addr.arpa
      IN PTR
      Response
      209.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-209deploystaticakamaitechnologiescom
    • flag-us
      DNS
      23.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
      Response
      18.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      173.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      173.178.17.96.in-addr.arpa
      IN PTR
      Response
      173.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-173deploystaticakamaitechnologiescom
    • flag-us
      DNS
      173.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      173.178.17.96.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
    • 20.231.121.79:80
      46 B
       1
    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      209.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      209.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      23.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      18.134.221.88.in-addr.arpa
      dns
      144 B
       137 B
       2
      1

      DNS Request

      18.134.221.88.in-addr.arpa

      DNS Request

      18.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      173.178.17.96.in-addr.arpa
      dns
      144 B
       137 B
       2
      1

      DNS Request

      173.178.17.96.in-addr.arpa

      DNS Request

      173.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      365 B
       5

      DNS Request

      240.221.184.93.in-addr.arpa

      DNS Request

      240.221.184.93.in-addr.arpa

      DNS Request

      240.221.184.93.in-addr.arpa

      DNS Request

      240.221.184.93.in-addr.arpa

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      144 B
       158 B
       2
      1

      DNS Request

      21.236.111.52.in-addr.arpa

      DNS Request

      21.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_psi3wbzv.sce.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp2853.tmp
      Filesize

      1KB

      MD5

      116455775b02ae1dd2c9562db36aa01c

      SHA1

      8fe4b71e21d91055907f0f31238cf30b10ab22d9

      SHA256

      5403d1b6391f46da4186dd0066adbafc910e11229759bdb58f8654240a2c474d

      SHA512

      3d19084f82452a363979499ddd8a1a5e243d111809a8ad804585e23b17f140677ff3935d199b39ed6a35fc309e64991f7e879eea3d026a9e7a08a794ff2cf5e9

      Download Submit

    • memory/1624-43-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

      Download

    • memory/1624-40-0x0000000001020000-0x000000000136A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1624-24-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

      Download

    • memory/1624-23-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

      Download

    • memory/3076-46-0x0000000070B40000-0x0000000070B8C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3076-56-0x0000000006100000-0x000000000611E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3076-69-0x0000000075000000-0x00000000757B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3076-66-0x0000000007170000-0x0000000007178000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3076-65-0x0000000007190000-0x00000000071AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3076-64-0x0000000007090000-0x00000000070A4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3076-63-0x0000000007080000-0x000000000708E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3076-17-0x0000000002210000-0x0000000002246000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3076-18-0x0000000075000000-0x00000000757B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3076-19-0x0000000002380000-0x0000000002390000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-21-0x0000000002380000-0x0000000002390000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3076-62-0x0000000007050000-0x0000000007061000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3076-22-0x0000000004D40000-0x0000000005368000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3076-61-0x00000000070D0000-0x0000000007166000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3076-60-0x0000000006EC0000-0x0000000006ECA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3076-59-0x0000000006E50000-0x0000000006E6A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3076-27-0x0000000004C60000-0x0000000004C82000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3076-28-0x0000000005460000-0x00000000054C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3076-29-0x00000000054D0000-0x0000000005536000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3076-58-0x0000000007490000-0x0000000007B0A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3076-39-0x0000000005540000-0x0000000005894000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3076-57-0x0000000006B30000-0x0000000006BD3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3076-41-0x0000000005B40000-0x0000000005B5E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3076-42-0x0000000005B90000-0x0000000005BDC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3076-45-0x0000000006140000-0x0000000006172000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3076-44-0x0000000002380000-0x0000000002390000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-4-0x00000000051E0000-0x00000000051F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-9-0x0000000007E10000-0x0000000007E1E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4876-7-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4876-2-0x00000000055D0000-0x0000000005B74000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4876-3-0x0000000004F70000-0x0000000005002000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4876-26-0x0000000075000000-0x00000000757B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4876-6-0x0000000007AB0000-0x0000000007B4C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4876-1-0x0000000075000000-0x00000000757B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4876-0-0x00000000004F0000-0x00000000005AA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/4876-12-0x00000000051E0000-0x00000000051F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-11-0x0000000075000000-0x00000000757B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4876-10-0x0000000007F30000-0x0000000007FC0000-memory.dmp

      Filesize

      576KB

      Download

    • memory/4876-5-0x0000000005130000-0x000000000513A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4876-8-0x0000000007E00000-0x0000000007E0A000-memory.dmp

      Filesize

      40KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.