Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

b7f6cbbe68...d5.exe

windows7-x64

7

b7f6cbbe68...d5.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    34s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2024, 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7f6cbbe68d2d92b0721408708c37dd5.exe

  • Size

    126KB

  • MD5

    b7f6cbbe68d2d92b0721408708c37dd5

  • SHA1

    9ce99e33a1a4e161bb2b6fb99003f79d9778fc59

  • SHA256

    529365d7e6520ef2d812fc361a135d910d639a6468d0203fcddf6e0819661832

  • SHA512

    a9aec2fe83a9ef871cc3b94ce53c9ec52e1df736847cb4a0f0ecdea36a2d28a637ceb124a812f081ffeac8607e9263312ae203cd2f5a36101f819a93f673f360

  • SSDEEP

    3072:dDKERFTYi2rQULKl6hp1fD4JQONLKcvM3/BLBvout2s:FKERFTYi2s6Kl+DbOdDvM35LxoS2

Score
7/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7f6cbbe68d2d92b0721408708c37dd5.exe
    "C:\Users\Admin\AppData\Local\Temp\b7f6cbbe68d2d92b0721408708c37dd5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAKhg.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "run32.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2608
    • C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe
      "C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe
        C:\Users\Admin\AppData\Roaming\Adobee\Protect.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BAKhg.bat
    Filesize

    143B

    MD5

    a18a2abad17b668162699428d77107b8

    SHA1

    153bafd32584d527e7be1233203adc6bff2658a0

    SHA256

    d0c4c5b6a90a9c986028d946c11321b250773da41e64a63f16fa94652e3f3b5f

    SHA512

    f8f26a185b0735c0f0859a8eb03d35a0313062efb080d83569b7620a445be2318c0e594a539719bf88a3ec3417f0d1954137620c2fd83bf9214b89fca8126556

    Download Submit

  • \Users\Admin\AppData\Roaming\Adobee\Protect.exe
    Filesize

    126KB

    MD5

    b7f6cbbe68d2d92b0721408708c37dd5

    SHA1

    9ce99e33a1a4e161bb2b6fb99003f79d9778fc59

    SHA256

    529365d7e6520ef2d812fc361a135d910d639a6468d0203fcddf6e0819661832

    SHA512

    a9aec2fe83a9ef871cc3b94ce53c9ec52e1df736847cb4a0f0ecdea36a2d28a637ceb124a812f081ffeac8607e9263312ae203cd2f5a36101f819a93f673f360

    Download Submit

  • memory/932-0-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/932-34-0x0000000003010000-0x0000000003152000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/932-36-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2544-42-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2544-46-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2544-48-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2544-51-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2544-56-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2656-37-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2656-44-0x0000000000400000-0x0000000000542000-memory.dmp

    Filesize

    1.3MB

    Download