Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

bc565ee991...b8.exe

windows7-x64

10

bc565ee991...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 17:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc565ee9911ae05c2193e75bda324bb8.exe

  • Size

    21KB

  • MD5

    bc565ee9911ae05c2193e75bda324bb8

  • SHA1

    44d1d8d6d1aa950f1b9a86d96cbab845af946fbc

  • SHA256

    f7f1f72bb19aab74e3f84b1c9cf1948838ea82b1e83a4e0c428a7642e0297dba

  • SHA512

    25a2388ae83bb5c33ce3468f9346e585c6cddff8b54d36afa0944e049b5f913d27d7027035f80d2e42555489cdc0754c61ca3fd8abe26c8d434866ebff2c8041

  • SSDEEP

    384:tQeC1XxcmEPX2UNUcHHynyrS7drJaKiw80sOrMgW5KNB/rj:mNhcmK28SnyGXaKtXeI

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 10 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc565ee9911ae05c2193e75bda324bb8.exe
    "C:\Users\Admin\AppData\Local\Temp\bc565ee9911ae05c2193e75bda324bb8.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ZhuDongFangyu.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 1 && del "C:\Users\Admin\AppData\Local\Temp\bc565ee9911ae05c2193e75bda324bb8.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        3⤵
        • Runs ping.exe
        PID:4716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1544-0-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1544-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1544-4-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download