Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

a26180892a...0c.exe

windows7-x64

7

a26180892a...0c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a26180892ad229612d66ec389876ea0c.exe

  • Size

    27KB

  • MD5

    a26180892ad229612d66ec389876ea0c

  • SHA1

    d5216afbd33e2aad4805a1570fce706b31c1249b

  • SHA256

    a0b35a0402a7b2a154eede3f2a17b48e72ee19f2c214d88a1ccf863bf5130e2f

  • SHA512

    559bba8f61f59cbefa0574b7acc74777409e6ebc75efe5161b21213f7bba458cef4be58686bdf8a2fb8cef0df1739cd62264b7218c8318dfeccfff6d3a2aa301

  • SSDEEP

    384:FE9injM/18TD+UdGvO375WswgUefZrpihrKJ+8jClje9WY4IQYt8wCuzgpNNxOYf:F/jMd/83TBLfhwhrUChh3Iz4NKY7HT

Score
8/10
persistence

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 3 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:2520
    • C:\Users\Admin\AppData\Local\Temp\a26180892ad229612d66ec389876ea0c.exe
      "C:\Users\Admin\AppData\Local\Temp\a26180892ad229612d66ec389876ea0c.exe"
      1⤵
      • Sets DLL path for service in the registry
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Common Files\microsoft shared\MSInfo\zyplxixv.dll
      Filesize

      36KB

      MD5

      8ce495c4608871b543d796ad6f2b9832

      SHA1

      7f1815342a1b3da4a5474a6f4278bade4f85230d

      SHA256

      c12eb3b8bb3f8e38a43d9c5bc02418944ef0e270340aaa24b285eb3b83a63fa4

      SHA512

      86d883f4d1c788d920c6a2af8485088b59addbf6fb523ad1e58419a266ed050ca0fac4b102b1a17c3376382a1a357d37e3bc9f2c0cff2e6fe3f686fd1b30c445

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\MSInfo\zyplxixv.drv
      Filesize

      28KB

      MD5

      b8739f1bc6b1405a2c5b05b652250d8e

      SHA1

      d6012e55ab90f67f7da08b12f7da8644e95555dc

      SHA256

      f268455ac5ea436f5a21eb24d1ef6d4fdd055f4fc4b97d81b8e6d863f0351591

      SHA512

      8d70c05608013f6a1acd4e0e5a3ff1ee8980484ceae58fadb7dd8ef0e65a16065cb01f373f9a25f38c1ad9f72e5affc27fc410243f3756fd94242d828508c7cc

      Download Submit

    • memory/1912-0-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

      Download

    • memory/1912-14-0x0000000000400000-0x0000000000405000-memory.dmp

      Filesize

      20KB

      Download