Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

d72ba55fc0...55.exe

windows7-x64

7

d72ba55fc0...55.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    162s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2024, 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d72ba55fc0f07ff4a4001882f6f11055.exe

  • Size

    396KB

  • MD5

    d72ba55fc0f07ff4a4001882f6f11055

  • SHA1

    0d032050b31a0af609ede416c90835535ed20c58

  • SHA256

    25b56e20140ba453bf312ec991dbb600a129d4e5365e281d1bea1f4daf93db6e

  • SHA512

    9b3b94216eb1c9c7ea70bb340f3c215ee5bc66664edacc6943dbe671b024b9e8756d0e4b00d1616687096e7809dd8e66d1b3e1aa81435f3a8b5c531bc35bac61

  • SSDEEP

    6144:c9qHIu7hC2KMSrohHllJaYVzZNj/PwXYyp+jPsbg4n+LIctq9:/HIuhHKLERllJJzvj/YYyo2+cx

Score
7/10
persistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d72ba55fc0f07ff4a4001882f6f11055.exe
    "C:\Users\Admin\AppData\Local\Temp\d72ba55fc0f07ff4a4001882f6f11055.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 480
      2⤵
      • Program crash
      PID:2248
    • C:\ProgramData\iG01803BhFhO01803\iG01803BhFhO01803.exe
      "C:\ProgramData\iG01803BhFhO01803\iG01803BhFhO01803.exe" "C:\Users\Admin\AppData\Local\Temp\d72ba55fc0f07ff4a4001882f6f11055.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4112
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 668
        3⤵
        • Program crash
        PID:4476
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 772 -ip 772
    1⤵
      PID:3516
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4112 -ip 4112
      1⤵
        PID:1128
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4572

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\iG01803BhFhO01803\iG01803BhFhO01803.exe
          Filesize

          396KB

          MD5

          06805db6fca7f17d77e8e9cfe66e9534

          SHA1

          0cb36ececbb8394d2548732635896e94d89fec6e

          SHA256

          b6dc8af3bfffed8c81c2b9c502af59174e8ae0a6d2ef562d1a59561b32943476

          SHA512

          75070bf5e6687c717a85952d503666995ab88101c5439adebdd664c7e4f7fb72db81c4bca502dbba088dae0d61ad726ce63a1bd91e79fd29b8cf41ba2f4d757d

          Download Submit

        • memory/772-0-0x0000000000770000-0x0000000000772000-memory.dmp

          Filesize

          8KB

          Download

        • memory/772-3-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/772-13-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/4112-19-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/4112-22-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/4112-29-0x0000000000400000-0x00000000004F0000-memory.dmp

          Filesize

          960KB

          Download