Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

699ac3f056...32.exe

windows7-x64

7

699ac3f056...32.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2024, 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    699ac3f056174e985ee6aec449b70a5a74404634a2e89ece1ca05f521b26ae32.exe

  • Size

    101KB

  • MD5

    fcd2254dfdee293482a1205d0b58fff8

  • SHA1

    3291f93f56d3511e72226348dd33d586260c2803

  • SHA256

    699ac3f056174e985ee6aec449b70a5a74404634a2e89ece1ca05f521b26ae32

  • SHA512

    9faad7b77ce15d7a11475de03dc3855e9aad0c7aff55030e66aa7aa56c4270153f43be3647e4d17bf459a24efb4e9e034c5e85670557ea6aedec1f2cd07cf12e

  • SSDEEP

    1536:0GYU/W2FHG6jMauSV3ixJHABLrmhH7i9CO+WHg7zRZICrWaGZh7o:0fU/Wr6jMauSuiWNi9CO+WARJrWNZW

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\699ac3f056174e985ee6aec449b70a5a74404634a2e89ece1ca05f521b26ae32.exe
    "C:\Users\Admin\AppData\Local\Temp\699ac3f056174e985ee6aec449b70a5a74404634a2e89ece1ca05f521b26ae32.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\ProgramData\Update\wuauclt.exe
      "C:\ProgramData\Update\wuauclt.exe" /run
      2⤵
      • Executes dropped EXE
      PID:1056
    • C:\windows\SysWOW64\cmd.exe
      "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\699ac3f056174e985ee6aec449b70a5a74404634a2e89ece1ca05f521b26ae32.exe" >> NUL
      2⤵
        PID:4076

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Update\wuauclt.exe
      Filesize

      101KB

      MD5

      9cc1799252ffdc7b6785c16167eeb637

      SHA1

      56a5bba51d7c1dd7d1bcfa6d8f296b9f9f3af094

      SHA256

      e8328678e66fbbf0d2b9332d309ad6bef6543fc965a2780d981a9dbb00f9085b

      SHA512

      a399cdfea2349160a215f83c34bc52560a96df92aa7a35dece3b43e4296728cc67a69ff1cadf8f96350c606ce53bd8e2a4618922da859b72fc34ceebc5a3784e

      Download Submit

    • memory/1056-4-0x0000000001000000-0x000000000101F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1056-7-0x0000000001000000-0x000000000101F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2516-0-0x0000000000390000-0x00000000003AF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2516-6-0x0000000000390000-0x00000000003AF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2516-8-0x0000000000390000-0x00000000003AF000-memory.dmp

      Filesize

      124KB

      Download