Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

d3986eca41...92.exe

windows7-x64

8

d3986eca41...92.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2024, 13:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3986eca41353e9a5b098e2fc7cd1792.exe

  • Size

    11.1MB

  • MD5

    d3986eca41353e9a5b098e2fc7cd1792

  • SHA1

    ea72c60bb41f936bb0d1fa34f194767e9035905c

  • SHA256

    8ad6c99f0f5f63bf522293bb6fa4e83690a4b01c79a17de93efc703f491ef30d

  • SHA512

    41fbd6add52e002a82c1ebc99b8739f8b4fb82610307cffd5409f0821cac65a9013573ef489261109f801f33105bb9b80ae73809c2be57d657999fa17111dd97

  • SSDEEP

    196608:jjBxcO4jj4GD539YoUhjBxcO4jj4GD539YoMSU64sF:z2D53v62D53vMfCF

Score
8/10
persistenceupx

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • NTFS ADS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d3986eca41353e9a5b098e2fc7cd1792.exe
    "C:\Users\Admin\AppData\Local\Temp\d3986eca41353e9a5b098e2fc7cd1792.exe"
    1⤵
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 2980
      2⤵
      • Program crash
      PID:2528

Network

  • flag-us
    DNS
    www.crackedmindstechnologies.com
    d3986eca41353e9a5b098e2fc7cd1792.exe
    Remote address:
    8.8.8.8:53
    Request
    www.crackedmindstechnologies.com
    IN A
    Response
  • flag-us
    DNS
    Remote address:
    8.8.8.8:53
    Request
    IN MX
    Response
  • flag-us
    DNS
    Remote address:
    8.8.8.8:53
    Request
    IN MX
  • flag-us
    DNS
    Remote address:
    8.8.8.8:53
    Request
    IN MX
    Response
  • flag-us
    DNS
    fabrikam.com
    d3986eca41353e9a5b098e2fc7cd1792.exe
    Remote address:
    8.8.8.8:53
    Request
    fabrikam.com
    IN MX
    Response
    fabrikam.com
    IN MX
    mail�
  • flag-us
    DNS
    mail.fabrikam.com
    d3986eca41353e9a5b098e2fc7cd1792.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.fabrikam.com
    IN A
    Response
    mail.fabrikam.com
    IN A
    131.107.55.31
  • flag-us
    DNS
    mail.fabrikam.com
    d3986eca41353e9a5b098e2fc7cd1792.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.fabrikam.com
    IN A
  • flag-us
    DNS
    mail.fabrikam.com
    d3986eca41353e9a5b098e2fc7cd1792.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.fabrikam.com
    IN A
    Response
    mail.fabrikam.com
    IN A
    131.107.55.31
  • 131.107.55.31:25
    mail.fabrikam.com
    d3986eca41353e9a5b098e2fc7cd1792.exe
    152 B
     3
  • 8.8.8.8:53
    www.crackedmindstechnologies.com
    dns
    d3986eca41353e9a5b098e2fc7cd1792.exe
    78 B
     151 B
     1
    1

    DNS Request

    www.crackedmindstechnologies.com

  • 8.8.8.8:53
    dns
    92 B
     120 B
     2
    1

    DNS Request


    DNS Request


  • 8.8.8.8:53
    dns
    46 B
     120 B
     1
    1

    DNS Request


  • 8.8.8.8:53
    fabrikam.com
    dns
    d3986eca41353e9a5b098e2fc7cd1792.exe
    58 B
     79 B
     1
    1

    DNS Request

    fabrikam.com

  • 8.8.8.8:53
    mail.fabrikam.com
    dns
    d3986eca41353e9a5b098e2fc7cd1792.exe
    126 B
     79 B
     2
    1

    DNS Request

    mail.fabrikam.com

    DNS Request

    mail.fabrikam.com

    DNS Response

    131.107.55.31

  • 8.8.8.8:53
    mail.fabrikam.com
    dns
    d3986eca41353e9a5b098e2fc7cd1792.exe
    63 B
     79 B
     1
    1

    DNS Request

    mail.fabrikam.com

    DNS Response

    131.107.55.31

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
    Filesize

    4.2MB

    MD5

    86c397930fa2458a88ea3a3c71e36a45

    SHA1

    555afef18d9a8536411dd27df1eda5846ed6b725

    SHA256

    ae9f58ff9c0c1d31f3817be1ac47364d62c11ea8e22ba3b48b4dcfcce1d7090f

    SHA512

    fbbb469b32cd44fde800b955c946b8deea8796740d7f6e590cfae0e87335c00b54a6a4525474d5ba7aa67655f47f966587774a328ef86fb8a4832b4e26994b8b

    Download Submit

  • memory/2352-0-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2352-296-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.