Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

e18670ff63...d7.exe

windows7-x64

9

e18670ff63...d7.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe

  • Size

    463KB

  • MD5

    c00715a783f0aa296a33c1178ecdfcbd

  • SHA1

    72cc6b1e4bd0f2a0dac76513738420173769e36c

  • SHA256

    e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7

  • SHA512

    9f342be3a9a061b4dc7370976619b9f10971a277659d9e24c06f2ce5949286b17d9a4e8576ad81d17623d38396918ad6014c19748b46e42b535c74b5f83fbb05

  • SSDEEP

    6144:2SPq0GvztB+u518QWyc/NFBjFKKJ5XLz0q9rdvOIO1Q1X1pvvCEm3NMsnCqO:hqPyuHWyYFBjbfLzjpvPMyfjkO

Score
9/10

Malware Config

Signatures

  • Detects executables (downlaoders) containing URLs to raw contents of a paste 3 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe
    "C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc config Winmgmt start= demand
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\system32\sc.exe
        sc config Winmgmt start= demand
        3⤵
        • Launches sc.exe
        PID:2632
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\4511a201-eb1f-407b-81bf-dddac5a0ee63.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\system32\timeout.exe
        timeout /T 1
        3⤵
        • Delays execution with timeout.exe
        PID:2660
      • C:\Windows\system32\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe"
        3⤵
        • Views/modifies file attributes
        PID:2352
      • C:\Windows\system32\timeout.exe
        timeout /T 1
        3⤵
        • Delays execution with timeout.exe
        PID:2904
      • C:\Windows\system32\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe"
        3⤵
        • Views/modifies file attributes
        PID:1712
      • C:\Windows\system32\timeout.exe
        timeout /T 1
        3⤵
        • Delays execution with timeout.exe
        PID:2172
      • C:\Windows\system32\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe"
        3⤵
        • Views/modifies file attributes
        PID:952
      • C:\Windows\system32\timeout.exe
        timeout /T 1
        3⤵
        • Delays execution with timeout.exe
        PID:1556
      • C:\Windows\system32\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe"
        3⤵
        • Views/modifies file attributes
        PID:2164
      • C:\Windows\system32\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4511a201-eb1f-407b-81bf-dddac5a0ee63.bat"
        3⤵
        • Views/modifies file attributes
        PID:1524
    • C:\Users\Admin\AppData\Local\Temp\VjJlldytdLTQrrj.exe
      "C:\Users\Admin\AppData\Local\Temp\VjJlldytdLTQrrj.exe" 1
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc config Winmgmt start= demand
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\system32\sc.exe
          sc config Winmgmt start= demand
          4⤵
          • Launches sc.exe
          PID:592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4511a201-eb1f-407b-81bf-dddac5a0ee63.bat
    Filesize

    1KB

    MD5

    e2380ce2392ba91d72810aacafcec0a3

    SHA1

    27952b102be2027108d0507719b6db11ca668045

    SHA256

    3cbdfd2784a39b2f51bbb47a86110f66e127534e2bcd56b75d30ff6cb7f8be5d

    SHA512

    378bcafb6f9177eadc56c482380d1e90c75cdc1f127b05f3cb53c5a76edcd077c976475055edc8b142061858d7570af4207862f66ae9716fcf929e40177e3733

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gamehelpers
    Filesize

    48B

    MD5

    135511555b9a87da895fb2e705a9ac0d

    SHA1

    21773c7ee2300da1a513f739a353f84252f9d3d1

    SHA256

    9a42cb2f8b76d6aa6abf61f4564f4e70bf2b2ce6f0f3869098d30fa7fe7250d8

    SHA512

    ac2528351fca9283dde4dfde2afdc894b85e9ec85b2c78e26558dd5995a4855ce5a2f745a709d0fdc0dc73e9d4fac5196e69f2d0b077567ea7215d85d5430fc7

    Download Submit

  • C:\Windows\system32\drivers\etc\hosts
    Filesize

    1023B

    MD5

    7cc9babf9adf5c2cd07bdabaa3472d6f

    SHA1

    250b4a1577ff7af4ff2bfe6c336bc6e6fe5c63bf

    SHA256

    4fe971365dec711ff93aa70ada171228ae76a78bcefcd81cc40c77f5e0797baa

    SHA512

    13777defa282354d7879c7a28603cdb9075235c8f4017ff31c53578846e927fa04f29f96093b2824f1528558c978630903e3bd19ef6cde63674d75a307c9150c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\VjJlldytdLTQrrj.exe
    Filesize

    467KB

    MD5

    cb534af4571a972c787a08699eb4fafa

    SHA1

    3c48ae6204016079d39f125d4fb9d689c57e094d

    SHA256

    7ec2657be9a11606ca658444bb9c0cd27fda23503b4e51771368239bccfad100

    SHA512

    f5961f9181a5013d4d401bd000e02d6b7023fc229c0e9c4f946d0c012ede49c063dae84c7f272373dd1bf4b0c95b79ecf286da0b95930c403a6ec29bcd66a787

    Download Submit

  • memory/2476-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2476-2-0x0000000000660000-0x0000000000661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2476-27-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2476-0-0x000000013FC30000-0x000000013FCE6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2476-3-0x000000001BC50000-0x000000001BCD0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2532-29-0x000000013F0D0000-0x000000013F186000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2532-30-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2532-32-0x000000001C140000-0x000000001C1C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2532-37-0x000000001C140000-0x000000001C1C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2532-39-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2532-40-0x000000001C140000-0x000000001C1C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2532-41-0x000000001C140000-0x000000001C1C0000-memory.dmp

    Filesize

    512KB

    Download