Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

abc15af400...99.exe

windows7-x64

7

abc15af400...99.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2024, 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abc15af4008e8832a0a6cc6c90bf1599.exe

  • Size

    724KB

  • MD5

    abc15af4008e8832a0a6cc6c90bf1599

  • SHA1

    66ccce6161849dd40d20bf1b5b30f2ee4cd74bd2

  • SHA256

    9b2b1e301bed2e080fb835aece6d2644b1ca3b5b673b34617bc6c0f378307d5a

  • SHA512

    faf4ba5cf6f5782b9b4dea6e2320ef6dfc207c011682f03b90a3430b43844c18ca3b2634ff040783f7575f065794284968185d86639dec48c3fac3febf10a872

  • SSDEEP

    12288:uxHjL99LsEONTlqagN59/2MzTcDYOtygo2ZJTaR6fHl6vKP2rUi6K6aKUUifD0:aL99wBTlqagH12OcDYOogo23WR6fJPSK

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abc15af4008e8832a0a6cc6c90bf1599.exe
    "C:\Users\Admin\AppData\Local\Temp\abc15af4008e8832a0a6cc6c90bf1599.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\server_se.exe
      "C:\server_se.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\SERVER~1.EXE > nul
        3⤵
          PID:1312
      • C:\¼Ò³àsa.exe
        "C:\¼Ò³àsa.exe"
        2⤵
        • Executes dropped EXE
        PID:64
    • C:\Windows\SysWOW64\jgdvcl.exe
      C:\Windows\SysWOW64\jgdvcl.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:4924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\jgdvcl.exe
      Filesize

      721KB

      MD5

      e94bd541111f718634e72721791dd25e

      SHA1

      88afeb012e06b22c8ef4644d38ddbd37d13d6e16

      SHA256

      96eb6dcd413555efba50864f9f5941dc58f48826901efc387f887ee30d150314

      SHA512

      64921297684cdf76467b251d99e04832cf0d5acd16eba2d32e3058471dcc99c16c55aa59be171c42452f1cf664b01e4db0156416eecb18cbeb814eac10428ed6

      Download Submit

    • C:\server_se.exe
      Filesize

      1.0MB

      MD5

      25b839ba896917b0e8f29cb76daad781

      SHA1

      ba5d8c46534c38fec877ac7f972fc53516f5d120

      SHA256

      6914efea0c5bef4396dd9a548e5a12e21fa9ed7cdd4f5cd8ff5f3342510f292a

      SHA512

      0fc51a1ceaa6fde84e5defc83e7d5e284bad9d84d34948a62c98ea9091123c7c00df28b347c545e0df0eb3151ba121acd64b9778c2fec2ab95ea22ac7cead084

      Download Submit

    • C:\¼Ò³àsa.exe
      Filesize

      384KB

      MD5

      ae2381b00c6fddd48a3aa2b2f6245df7

      SHA1

      caa4b850ff9f0d9c4aaf4ba7cf4190594035799f

      SHA256

      4d2fbd0727086715331680c06a2a79fd3ed1b003ea1386fab97f0d0fd878c653

      SHA512

      22c6d2eaeb1b96320171377cdc49cb0713430ca85fdecde108730d0a21bc96c43c11b0680505d12632d42100ee7a214dd005d490c3706135368246ea16d2d1a5

      Download Submit

    • memory/64-23326-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/64-17-0x00000000005C0000-0x00000000005C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4900-3892-0x0000000076F80000-0x0000000077120000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4900-23324-0x0000000000400000-0x0000000000511000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4900-13086-0x0000000000400000-0x0000000000511000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4900-13087-0x0000000000400000-0x0000000000511000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4900-13089-0x0000000000400000-0x0000000000511000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4900-18-0x00000000773C0000-0x00000000775D5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4900-26165-0x0000000000400000-0x0000000000511000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4900-5901-0x0000000076070000-0x00000000760EA000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4900-14-0x0000000000400000-0x0000000000511000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4924-18975-0x0000000076070000-0x00000000760EA000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4924-16966-0x0000000076F80000-0x0000000077120000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4924-26162-0x0000000000400000-0x0000000000511000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4924-26163-0x0000000000400000-0x0000000000511000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4924-13092-0x00000000773C0000-0x00000000775D5000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4924-26164-0x0000000000400000-0x0000000000511000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4924-26166-0x0000000000400000-0x0000000000511000-memory.dmp

      Filesize

      1.1MB

      Download