Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

215c373603...f4.exe

windows7-x64

7

5e902a1381...c9.exe

windows7-x64

10

8d2f2ee248...88.exe

windows7-x64

9

d765e722e2...b9.exe

windows7-x64

10

f8da280bb9...12.exe

windows7-x64

10

Resubmissions

28/03/2024, 15:06 UTC

240328-sgx9sshb9x 10

28/03/2024, 14:55 UTC

240328-sar47sha3x 10

Analysis

  • max time kernel
    49s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2024, 15:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe

  • Size

    15KB

  • MD5

    aedb1ad5304921ac3883570ebb647a29

  • SHA1

    eb91ca0baf1e7be6b538871714c727232a981acf

  • SHA256

    f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712

  • SHA512

    6bbe14d668223b1b43e4ce9f7a75eb5892a2cd917b9e725edfda490113860a2ba8971cdbdef33e60a473fd0f831af1812ee6c4671f64be2c45958fa68fe4e88c

  • SSDEEP

    384:nl+IiU+Xh2GFstXnzVmzN/Gv2utvWmIptYcFwVc03K:ox2GGtpG6NfctYcFwVc6K

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
    "C:\Users\Admin\AppData\Local\Temp\f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    PID:2928

Network

  • flag-us
    DNS
    eu-west-1.ufile.io
    f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
    Remote address:
    8.8.8.8:53
    Request
    eu-west-1.ufile.io
    IN A
    Response
    eu-west-1.ufile.io
    IN A
    172.67.155.81
    eu-west-1.ufile.io
    IN A
    104.21.66.22
  • flag-us
    GET
    https://eu-west-1.ufile.io/get/f4hiv1pj?token=ZjExOGJlZmQ2NTc2OTRkYWE1YzljZWIxMWNmZThhOTBjMDNjYzg3MWEzN2FlZGE3NzZmODcwNjY1OGMxNjNkYTZkYzI1MGU2Mjk0NmE4NDQzY2ZkYzg3MTQ2NjgwZjc5YmMwYzM1MDNmYjllNWI5ZjU4MzlmMzZhY2UwYTZmYWNSSUoxWGRMajJGZmVQdlpKM05NZFliMUV0MDVjQ0FpOHd5bW9GYkdxdms2RGVqZk1Xci85SFpnU3BzRyt5M3MreEYzakNPb0o5Q2RnbXMxT0xoT2xiUkI2OFZHT3p0bE1FcXo4U0J1Ti9ua2lGRmhsNmlRV3RZTzkycGFpc3dXS2M0NFUvTzBaTGdwWDBlTWxWaHlrZS9tQmZoMDZQWmRjUTk3NjNYS2FJQzJqV21NcHFvRHNYQ25Wcnhka3ppbVV1dWZkTjFLdlp2aXI1TmYzRWJWZUZiTzB6cnducUFCZ1NxbEZyQWFqKytBPQ==
    f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
    Remote address:
    172.67.155.81:443
    Request
    GET /get/f4hiv1pj?token=ZjExOGJlZmQ2NTc2OTRkYWE1YzljZWIxMWNmZThhOTBjMDNjYzg3MWEzN2FlZGE3NzZmODcwNjY1OGMxNjNkYTZkYzI1MGU2Mjk0NmE4NDQzY2ZkYzg3MTQ2NjgwZjc5YmMwYzM1MDNmYjllNWI5ZjU4MzlmMzZhY2UwYTZmYWNSSUoxWGRMajJGZmVQdlpKM05NZFliMUV0MDVjQ0FpOHd5bW9GYkdxdms2RGVqZk1Xci85SFpnU3BzRyt5M3MreEYzakNPb0o5Q2RnbXMxT0xoT2xiUkI2OFZHT3p0bE1FcXo4U0J1Ti9ua2lGRmhsNmlRV3RZTzkycGFpc3dXS2M0NFUvTzBaTGdwWDBlTWxWaHlrZS9tQmZoMDZQWmRjUTk3NjNYS2FJQzJqV21NcHFvRHNYQ25Wcnhka3ppbVV1dWZkTjFLdlp2aXI1TmYzRWJWZUZiTzB6cnducUFCZ1NxbEZyQWFqKytBPQ== HTTP/1.1
    Host: eu-west-1.ufile.io
    Connection: Keep-Alive
    Response
    HTTP/1.1 403 Forbidden
    Date: Thu, 28 Mar 2024 15:06:42 GMT
    Content-Type: application/json; charset=UTF-8
    Content-Length: 72
    Connection: keep-alive
    Set-Cookie: csrf_cookie_name=0bc9a639d4ad055c60626b6fcc733c53; expires=Thu, 28-Mar-2024 21:06:42 GMT; Max-Age=21600; path=/; domain=ufile.io
    Accept-Ranges: bytes
    Allow: GET, HEAD, OPTIONS
    X-Frame-Options: SAMEORIGIN
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rgLNTDrX2pdGj%2FGL4tdYCYqTV5i3RtVm2fL3%2Fewsvfd4k%2Brc0cOLiJnwORYrTN%2Fd%2FqRCsiNRvyDUUj8z9n5I1U26JI8%2Ff5aGB6PRV8qxl%2FTqLcNHf9xhmYZhgHJbEV%2Bnjz%2FLhw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 86b8868dafc863c2-LHR
    alt-svc: h3=":443"; ma=86400
  • 172.67.155.81:443
    https://eu-west-1.ufile.io/get/f4hiv1pj?token=ZjExOGJlZmQ2NTc2OTRkYWE1YzljZWIxMWNmZThhOTBjMDNjYzg3MWEzN2FlZGE3NzZmODcwNjY1OGMxNjNkYTZkYzI1MGU2Mjk0NmE4NDQzY2ZkYzg3MTQ2NjgwZjc5YmMwYzM1MDNmYjllNWI5ZjU4MzlmMzZhY2UwYTZmYWNSSUoxWGRMajJGZmVQdlpKM05NZFliMUV0MDVjQ0FpOHd5bW9GYkdxdms2RGVqZk1Xci85SFpnU3BzRyt5M3MreEYzakNPb0o5Q2RnbXMxT0xoT2xiUkI2OFZHT3p0bE1FcXo4U0J1Ti9ua2lGRmhsNmlRV3RZTzkycGFpc3dXS2M0NFUvTzBaTGdwWDBlTWxWaHlrZS9tQmZoMDZQWmRjUTk3NjNYS2FJQzJqV21NcHFvRHNYQ25Wcnhka3ppbVV1dWZkTjFLdlp2aXI1TmYzRWJWZUZiTzB6cnducUFCZ1NxbEZyQWFqKytBPQ==
    tls, http
    f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
    1.4kB
     4.1kB
     10
    9

    HTTP Request

    GET https://eu-west-1.ufile.io/get/f4hiv1pj?token=ZjExOGJlZmQ2NTc2OTRkYWE1YzljZWIxMWNmZThhOTBjMDNjYzg3MWEzN2FlZGE3NzZmODcwNjY1OGMxNjNkYTZkYzI1MGU2Mjk0NmE4NDQzY2ZkYzg3MTQ2NjgwZjc5YmMwYzM1MDNmYjllNWI5ZjU4MzlmMzZhY2UwYTZmYWNSSUoxWGRMajJGZmVQdlpKM05NZFliMUV0MDVjQ0FpOHd5bW9GYkdxdms2RGVqZk1Xci85SFpnU3BzRyt5M3MreEYzakNPb0o5Q2RnbXMxT0xoT2xiUkI2OFZHT3p0bE1FcXo4U0J1Ti9ua2lGRmhsNmlRV3RZTzkycGFpc3dXS2M0NFUvTzBaTGdwWDBlTWxWaHlrZS9tQmZoMDZQWmRjUTk3NjNYS2FJQzJqV21NcHFvRHNYQ25Wcnhka3ppbVV1dWZkTjFLdlp2aXI1TmYzRWJWZUZiTzB6cnducUFCZ1NxbEZyQWFqKytBPQ==

    HTTP Response

    403
  • 8.8.8.8:53
    eu-west-1.ufile.io
    dns
    f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
    64 B
     96 B
     1
    1

    DNS Request

    eu-west-1.ufile.io

    DNS Response

    172.67.155.81
    104.21.66.22

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar28EB.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • memory/2928-0-0x0000000000E90000-0x0000000000E9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2928-1-0x0000000074A50000-0x000000007513E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2928-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2928-40-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2928-41-0x0000000074A50000-0x000000007513E000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.