Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Keygen.exe

windows7-x64

10

Keygen.exe

windows10-2004-x64

10

Mocha.Teln...en.exe

windows7-x64

7

Mocha.Teln...en.exe

windows10-2004-x64

7

Mocha.Teln...sp.exe

windows7-x64

7

Mocha.Teln...sp.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2024, 07:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Keygen.exe

  • Size

    20KB

  • MD5

    bda654eb40ad8f5eb14bf3b931a71270

  • SHA1

    202fa0ac769e7dfde7861584237127d4108ea3c0

  • SHA256

    291550e0bbf532a0cc0c5bfea5e6f24c084372ef52a02be09deac769d5cb7297

  • SHA512

    f603227def1e86bcf7cb4f2b285617836f652646dc06e18cf007fb4a327c5d19ffff132b68b27dab8567bedbfbd546c3993c005c674c5a28157cdb7c79a1b045

  • SSDEEP

    384:WU45yYGoUmCt0SFI0EU8wl35KO/tFdR1FpyqgJn28:Wr8oPCRF58wl35KO/tFdR1KZJn9

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 3 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Keygen.exe
    "C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    PID:2656
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Process spawned unexpected child process
      • Deletes itself
      • Loads dropped DLL
      PID:2420

Network

  • flag-us
    DNS
    exfacebooks.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    exfacebooks.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    exfacebooks.com
    dns
    svchost.exe
    61 B
     134 B
     1
    1

    DNS Request

    exfacebooks.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\7B19.tmp
    Filesize

    21KB

    MD5

    02940c74780ec9acf42351982efeb65a

    SHA1

    27546acf0a8e4b00ba2caa4e386c994d0d0e57f6

    SHA256

    bb93dc2435c167434ed6b5458f2dd5360d498198968dce995d4f4696bf74bc2a

    SHA512

    ec7b63f5732df051598c6d7c62c16412ce41c5586651a55ca406f0d2e63fe487dbd54cfba125b8510373c5e9952acabe644f86006ba8f42ea42a101dfe2d6061

    Download Submit

  • memory/2420-17-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2420-23-0x0000000010000000-0x000000001000C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2656-22-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2960-3-0x000000002F8F1000-0x000000002F8F2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2960-5-0x00000000712DD000-0x00000000712E8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2960-11-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2960-14-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2960-18-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2960-19-0x00000000712DD000-0x00000000712E8000-memory.dmp

    Filesize

    44KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.