Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

e221652ba4...09.exe

windows7-x64

7

e221652ba4...09.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2024, 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e221652ba4c83a0d97e7b9e787b26a09.exe

  • Size

    443KB

  • MD5

    e221652ba4c83a0d97e7b9e787b26a09

  • SHA1

    bd7439c5f41736933d85c310280b6fea54d93781

  • SHA256

    08d04e7168869300fdd6d77c072d06fdc31ea5037d3ec929b205306809403e4b

  • SHA512

    137fb8c1070c781c8ff5ba02c8079aa73288c7e4a95e84bbcf8a20cbeac744bdde53453f495c863256c3218c6b2d7bc65fda5bad965c579f7ed7e11d2c627051

  • SSDEEP

    12288:dVV6fzF64n5ToGk8DUrvOt91UkHq0y93Z+5J4Qny:TVi/etXqrzHq04+5J4Qny

Score
7/10
persistenceupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e221652ba4c83a0d97e7b9e787b26a09.exe
    "C:\Users\Admin\AppData\Local\Temp\e221652ba4c83a0d97e7b9e787b26a09.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\ProgramData\iD01803CpCfI01803\iD01803CpCfI01803.exe
      "C:\ProgramData\iD01803CpCfI01803\iD01803CpCfI01803.exe" "C:\Users\Admin\AppData\Local\Temp\e221652ba4c83a0d97e7b9e787b26a09.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\iD01803CpCfI01803\iD01803CpCfI01803.exe
    Filesize

    443KB

    MD5

    f2e7cdc646c64dfba9da7ac7097d4d96

    SHA1

    c2db32d7414423efad615a999c2e877f54eec328

    SHA256

    7167e6dad3b21684e067ed9a224fd18de6753385aed334e141bfde2b80e8d08e

    SHA512

    a225ac77fb64dfa116dac1297cc92960c8d325fa0d20a192251f40ed1edeb752bb1c377e9d54e851bdc1d896261d0d769ac8d66c1f14a8371d04a92c554d4588

    Download Submit

  • memory/444-16-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/444-17-0x0000000000740000-0x0000000000840000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/444-25-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/444-27-0x0000000000740000-0x0000000000840000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/444-33-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/3408-1-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/3408-2-0x00000000006D0000-0x00000000007D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3408-14-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download