Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

b9820bc23e...de.exe

windows7-x64

6

b9820bc23e...de.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2024, 19:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9820bc23e280e0e7540533cba880fde.exe

  • Size

    24KB

  • MD5

    b9820bc23e280e0e7540533cba880fde

  • SHA1

    236800da956ff2038ec04e9c4a8f5d0012b94810

  • SHA256

    2cc1cab204525ebbc8fc9f26090aae680e914b3904e18c51237918726c9b63eb

  • SHA512

    8a90d1d2e33502d73df283c761659093b50921a71fe65f4e4b835cd36c3f4af411976c0236e3e39a46976e2a057460cab2591b84a766ee05e08d8b452fb21578

  • SSDEEP

    384:E3eVES+/xwGkRKJuxxlM61qmTTMVF9/q5O0:bGS+ZfbJuxxO8qYoAn

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9820bc23e280e0e7540533cba880fde.exe
    "C:\Users\Admin\AppData\Local\Temp\b9820bc23e280e0e7540533cba880fde.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set
        3⤵
          PID:1636
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:2752
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2632
        • C:\Windows\SysWOW64\net.exe
          net start
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            4⤵
              PID:2084
          • C:\Windows\SysWOW64\NETSTAT.EXE
            netstat -an
            3⤵
            • Gathers network information
            • Suspicious use of AdjustPrivilegeToken
            PID:2584

      Network

      • flag-us
        DNS
        www.kvic.jp
        b9820bc23e280e0e7540533cba880fde.exe
        Remote address:
        8.8.8.8:53
        Request
        www.kvic.jp
        IN A
        Response
      No results found
      • 8.8.8.8:53
        www.kvic.jp
        dns
        b9820bc23e280e0e7540533cba880fde.exe
        57 B
         107 B
         1
        1

        DNS Request

        www.kvic.jp

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\windows\temp\flash.log
        Filesize

        8KB

        MD5

        e04ca483d9872650b9c038ebdc993c24

        SHA1

        9d7edda68b825616833e7a20499d5de2ad0c92d2

        SHA256

        22bc72c92c29362554b68ac476a6152fccb1a68fc6c28adf354cbf16d18d30e7

        SHA512

        bbf1148bacfbacc97242a2be410256b7ba02143cb18b7f58ba7088d20a2100205c81d9a20658bd89f091d645c5f3de047f54d0cb147af3f6c9075d759831ca3c

        Download Submit

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.