Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

c9df8ee829...50.exe

windows7-x64

5

c9df8ee829...50.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 05:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe

  • Size

    716KB

  • MD5

    95269aceffe9ce44698b97ae89f6909c

  • SHA1

    e666771f265fbe6ffb19726def6dcb333ab8cf7e

  • SHA256

    c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150

  • SHA512

    4bb88004d72c57fb0d27cd5dece1a02cd56fbaff968a1e3bf10b0f7a3bbf98afd0cb7171664d5cda28835d8f90a6d52cab70a335091fee5c49947dc6258d8f47

  • SSDEEP

    12288:x4EzqHKMbNrpZ4ZQtsLWhI7xjuNFU9J4rjmmbC+nulxpUuVxpSRxD0DN7MTlMxov:xrz87bBH4pLyYuzMe2x+uxBpSRuN7MRT

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe
    "C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oRwcFTVBKGJFE.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oRwcFTVBKGJFE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp213.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2180
    • C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe
      "C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe"
      2⤵
        PID:1788
      • C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe
        "C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe"
        2⤵
          PID:1864
        • C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe
          "C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe"
          2⤵
            PID:1444
          • C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe
            "C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe"
            2⤵
              PID:2744
            • C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe
              "C:\Users\Admin\AppData\Local\Temp\c9df8ee8291e7b125f140eb2dbad2c9eecd45b58e3b85a1c38d01ffcf3218150.exe"
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2812
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 36
                3⤵
                • Program crash
                PID:2908

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmp213.tmp
            Filesize

            1KB

            MD5

            155eb40ac799d8cc88e106754bd81446

            SHA1

            056bc89ee21ca1b5d064f89fe594ebaba745c7c7

            SHA256

            b157fc30947bb5321644fb74e4d74368c3723ddeb434d869464f1818d0ed0c80

            SHA512

            56f803350f08b0c5f36971ad3b62f76c398e357a56e90b484b80d6f0aaaf161dea1c6a1aaedc568368a6b2b0d0a35b5e74b05e8cdf3ecd7d61e05ae95a9a4b65

            Download Submit

          • memory/2420-21-0x0000000073FA0000-0x000000007468E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2420-1-0x0000000073FA0000-0x000000007468E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2420-2-0x0000000004C10000-0x0000000004C50000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2420-3-0x00000000040A0000-0x00000000040B4000-memory.dmp

            Filesize

            80KB

            Download

          • memory/2420-5-0x00000000040D0000-0x00000000040DE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2420-4-0x00000000040C0000-0x00000000040CA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2420-6-0x0000000005A10000-0x0000000005AA0000-memory.dmp

            Filesize

            576KB

            Download

          • memory/2420-7-0x0000000073FA0000-0x000000007468E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2420-8-0x0000000004C10000-0x0000000004C50000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2420-0-0x0000000000290000-0x000000000034A000-memory.dmp

            Filesize

            744KB

            Download

          • memory/2624-22-0x000000006E410000-0x000000006E9BB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2624-24-0x0000000002510000-0x0000000002550000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2624-25-0x0000000002510000-0x0000000002550000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2624-26-0x000000006E410000-0x000000006E9BB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2624-27-0x000000006E410000-0x000000006E9BB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2812-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2812-20-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

            Download

          • memory/2812-15-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

            Download

          • memory/2812-14-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

            Download

          • memory/2812-23-0x00000000009A0000-0x0000000000CA3000-memory.dmp

            Filesize

            3.0MB

            Download

          • memory/2812-28-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.