Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

996887ad77...94.exe

windows7-x64

10

996887ad77...94.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    996887ad773945a7884931c5f1ff5c94.exe

  • Size

    61KB

  • MD5

    996887ad773945a7884931c5f1ff5c94

  • SHA1

    bbe87a1764221a20f8f35b4291ddb5cce7a8f468

  • SHA256

    ff1caada5738fcb6cd6e4e83841e2bdfe49cbf767d7d4d6f1fd437e56b702a89

  • SHA512

    7ec3b233032423ce0d09dbb23b31af24f82469b07e0ff11b728bcbc3e22bf95e829a14565fe8b8199d461ed431f3b2d19146ff8cf934c92fb2eb650266a0dfaa

  • SSDEEP

    1536:B4lqiNHnPSMQQ+Z45SNTxdBlsZr48ECzJP0xBt7haC:GaMQ/7NdrlxaFPkt9

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Program crash 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\996887ad773945a7884931c5f1ff5c94.exe
    "C:\Users\Admin\AppData\Local\Temp\996887ad773945a7884931c5f1ff5c94.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s C:\Users\Admin\AppData\Local\Temp\aaa.reg
      2⤵
      • Modifies WinLogon for persistence
      • Runs .reg file with regedit
      PID:5100
    • C:\Users\Admin\AppData\Local\Temp\msdtr.exe
      C:\Users\Admin\AppData\Local\Temp\msdtr.exe
      2⤵
      • Executes dropped EXE
      PID:4012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 532
        3⤵
        • Program crash
        PID:4444
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4012 -ip 4012
    1⤵
      PID:4804

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\aaa.reg
      Filesize

      413B

      MD5

      e62423d7be4ca6661ca629d6b7a9a104

      SHA1

      ae0e34911292701ff9c94869364a36b98ef76fed

      SHA256

      11fa728742f4d51b25bc1e16fc77db63226fc702c10b5e3c6f098f562fdae64c

      SHA512

      9de8f6b68f28637ef4844df8914b926a3d7e90e3013b4aa4e871eda3e5d8d9525747541061f9e46528c1201a10bab520c763ad2dc5e841001eb5b24f077f79c7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msdtr.exe
      Filesize

      41KB

      MD5

      4c3dce52edaec8f5e3a7a8775623d669

      SHA1

      e54587845bb153cade4c025d6519ace63d1ac92f

      SHA256

      b4a33369d9f2b2a43196229106bd21bb4cada7aebf662fa369d65101856df9a9

      SHA512

      70b1f49d8cc39272ef96a11c19d2a2a710bf976402c7091a47b396c476c05b113aadf8be45300477774a7ec8cc2d2e56ba953ea0a181dc934e2b766634dfcc9f

      Download Submit