Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

c2e96de70e...b8.exe

windows7-x64

6

c2e96de70e...b8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    1s
  • max time network
    0s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    12/03/2024, 08:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2e96de70e518631646a16154cd2dab8.exe

  • Size

    80KB

  • MD5

    c2e96de70e518631646a16154cd2dab8

  • SHA1

    899de7a75187996ecc2e1cbe58c38c010dd57692

  • SHA256

    cab376dba17f99ab31a0eda48dc13c278d356b21a47cffb5dbfaa6856ad65b34

  • SHA512

    76b99bce1475eee6410a567f1376feb814f0e2f1cf16b4dc479562ec1a1e17f692a4c0c8d09298346741d78cdec5452640f898cbb6ddb749dab4fb4ed066be2c

  • SSDEEP

    768:cDI8ys6q0TMm1zJHZ+GaBb2Vxit/vqJevfoJ6DVSLKvomVWdXW7X4sn:cDk1zH3cHBb2VxUcpKVSLChVWdXi

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe
    "C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe
      "C:\Users\Admin\AppData\Local\Temp\c2e96de70e518631646a16154cd2dab8.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      PID:2856
      • C:\Windows\SysWOW64\v6msn.exe
        "C:\Windows\system32\v6msn.exe"
        3⤵
          PID:2716
          • C:\Windows\SysWOW64\v6msn.exe
            "C:\Windows\SysWOW64\v6msn.exe"
            4⤵
              PID:2512
              • C:\Windows\SysWOW64\v6msn.exe
                "C:\Windows\system32\v6msn.exe"
                5⤵
                  PID:776
                  • C:\Windows\SysWOW64\v6msn.exe
                    "C:\Windows\SysWOW64\v6msn.exe"
                    6⤵
                      PID:2316
                      • C:\Windows\SysWOW64\v6msn.exe
                        "C:\Windows\system32\v6msn.exe"
                        7⤵
                          PID:2436
                    • C:\Windows\SysWOW64\CMD.exe
                      CMD /C del /F /S /Q *.zip
                      5⤵
                        PID:2312
                      • C:\Windows\SysWOW64\CMD.exe
                        CMD /C del /F /S /Q *.com
                        5⤵
                          PID:2300
                        • C:\Windows\SysWOW64\CMD.exe
                          CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
                          5⤵
                            PID:2192
                          • C:\Windows\SysWOW64\CMD.exe
                            CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
                            5⤵
                              PID:1692
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\v6msn.exe > nul
                              5⤵
                                PID:2964
                          • C:\Windows\SysWOW64\CMD.exe
                            CMD /C del /F /S /Q *.zip
                            3⤵
                              PID:2696
                            • C:\Windows\SysWOW64\CMD.exe
                              CMD /C del /F /S /Q *.com
                              3⤵
                                PID:2420
                              • C:\Windows\SysWOW64\CMD.exe
                                CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
                                3⤵
                                  PID:2804
                                • C:\Windows\SysWOW64\CMD.exe
                                  CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
                                  3⤵
                                    PID:2532
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C2E96D~1.EXE > nul
                                    3⤵
                                      PID:2568

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\SysWOW64\v6msn.exe
                                  Filesize

                                  80KB

                                  MD5

                                  c2e96de70e518631646a16154cd2dab8

                                  SHA1

                                  899de7a75187996ecc2e1cbe58c38c010dd57692

                                  SHA256

                                  cab376dba17f99ab31a0eda48dc13c278d356b21a47cffb5dbfaa6856ad65b34

                                  SHA512

                                  76b99bce1475eee6410a567f1376feb814f0e2f1cf16b4dc479562ec1a1e17f692a4c0c8d09298346741d78cdec5452640f898cbb6ddb749dab4fb4ed066be2c

                                  Download Submit

                                • C:\Windows\system32\drivers\etc\hosts
                                  Filesize

                                  3KB

                                  MD5

                                  a3ba37f0afdc1fd9a69f4f44cdbc26e1

                                  SHA1

                                  5d667022420623974407a1157933b08c52e72d2c

                                  SHA256

                                  6d63d07049c5eeae2802b8fd9f4294e8a4620643dca5e6c4dbe1d0c09e60a4c5

                                  SHA512

                                  edf6413cf88bb1b5e7e5e04cc1f786ab934f41a18abd85dc77456f282be83f828559e09727f2b97fa2a50c46c95190b610c2cf28db24bdd7112d71a4a33826e8

                                  Download Submit

                                • memory/776-62-0x0000000000400000-0x000000000043C000-memory.dmp

                                  Filesize

                                  240KB

                                  Download

                                • memory/776-83-0x0000000000400000-0x000000000043C000-memory.dmp

                                  Filesize

                                  240KB

                                  Download

                                • memory/1640-18-0x0000000000400000-0x000000000043C000-memory.dmp

                                  Filesize

                                  240KB

                                  Download

                                • memory/1640-0-0x0000000000400000-0x000000000043C000-memory.dmp

                                  Filesize

                                  240KB

                                  Download

                                • memory/2512-60-0x00000000030E0000-0x000000000311C000-memory.dmp

                                  Filesize

                                  240KB

                                  Download

                                • memory/2716-41-0x0000000000240000-0x000000000027C000-memory.dmp

                                  Filesize

                                  240KB

                                  Download

                                • memory/2716-35-0x0000000000400000-0x000000000043C000-memory.dmp

                                  Filesize

                                  240KB

                                  Download

                                • memory/2716-56-0x0000000000400000-0x000000000043C000-memory.dmp

                                  Filesize

                                  240KB

                                  Download

                                • memory/2856-19-0x0000000000400000-0x000000000040D000-memory.dmp

                                  Filesize

                                  52KB

                                  Download

                                • memory/2856-5-0x0000000000400000-0x000000000040D000-memory.dmp

                                  Filesize

                                  52KB

                                  Download

                                • memory/2856-8-0x0000000000400000-0x000000000040D000-memory.dmp

                                  Filesize

                                  52KB

                                  Download

                                • memory/2856-30-0x0000000002F80000-0x0000000002FBC000-memory.dmp

                                  Filesize

                                  240KB

                                  Download

                                • memory/2856-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2856-14-0x0000000000400000-0x000000000040D000-memory.dmp

                                  Filesize

                                  52KB

                                  Download

                                • memory/2856-11-0x0000000000400000-0x000000000040D000-memory.dmp

                                  Filesize

                                  52KB

                                  Download

                                • memory/2856-3-0x0000000000400000-0x000000000040D000-memory.dmp

                                  Filesize

                                  52KB

                                  Download

                                • memory/2856-1-0x0000000000400000-0x000000000040D000-memory.dmp

                                  Filesize

                                  52KB

                                  Download