Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.5MB

  • MD5

    6ee8535bb232fe000b49153b670a1803

  • SHA1

    f614e5e362ea0f85f8938e337591c210831db32f

  • SHA256

    c41c07c2d1e2fd62641eba007673cfcd56bdc30a4e608e43656805db673b151f

  • SHA512

    859a1e0a60075e13e9c84ab976758f78f1019aa5d8bda7137bd5efc92bf677e7c01d285087724d11f04bccbf707d490719abb52c22fa97c688a108b971ea54fd

  • SSDEEP

    49152:YImcWL9IPguCKmUIZ79ecM8Cmh2HL7dGfCybeiFkq4nF3SbYN2Y:YH9fF79bMbQExGf5eiFL4nF3Sbi

Score
7/10
spywarestealervmprotect

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        work.exe -priverdD
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3484
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\grdfe.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\grdfe.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1556
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBGbYYvk1i.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4244
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:5112
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:920
              • C:\odt\dllhost.exe
                "C:\odt\dllhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:4112

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
      Filesize

      35B

      MD5

      ff59d999beb970447667695ce3273f75

      SHA1

      316fa09f467ba90ac34a054daf2e92e6e2854ff8

      SHA256

      065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

      SHA512

      d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
      Filesize

      2.4MB

      MD5

      3ed540faf4896c7f82a2643dfd501525

      SHA1

      2ca1ac39738968ead234b489cc69f859d4e67a7f

      SHA256

      c2958372620455f32fe5836d1aa4d37feeec6009e17ed1df5d14944645eb8a81

      SHA512

      82d8b95f057740cb35f65deecd5d2367814041119b0cb5afc800aa4fa8500f2953ba94d390915b6241d959575e131d6e638b3dae66963de9f8e60e2f9a6dad97

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\grdfe.exe
      Filesize

      2.1MB

      MD5

      99e521a2816ca108f31a4a26e971dd67

      SHA1

      194e9801a30e3bee67d49b160115373022c9ff32

      SHA256

      65c33f919aa4b3be2f4b7316f66ffeac9441e735b6e846b84b8e331951c8c5c7

      SHA512

      4ff9abbecac209b00a9e613daabf3e9df7b0d0db28ce62f3ecc011919617f8ef542f9d95d905ebc62b9b081bc1ab1192410ea9e273cf1bcdac59f78390dbcbb6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TBGbYYvk1i.bat
      Filesize

      146B

      MD5

      99d37fa42f9f1f4059aeec6957596a47

      SHA1

      a04e8b6b1068abe923789d6346e105c1487996ae

      SHA256

      026317bc96111b3a12e10eb8ac4e4056edb5cf7a27fb757737ea26a0426125a7

      SHA512

      67add9334a5a0ca7c13693e1c19bcba55f99cf51b9caa2e8726eaae94f47dc1691c371add3a10a94fc4ed50aa1141c5db86f60362ea036d064585b3472b14202

      Download Submit

    • memory/1556-29-0x0000000000F90000-0x0000000000F9E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1556-41-0x00007FFDCAB50000-0x00007FFDCAB51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1556-24-0x0000000000F70000-0x0000000000F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1556-26-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1556-27-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1556-30-0x00007FFDCB2D0000-0x00007FFDCB38E000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1556-31-0x00007FFDCAB80000-0x00007FFDCAB81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1556-23-0x00007FFDACD90000-0x00007FFDAD851000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1556-33-0x0000000002870000-0x000000000288C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1556-35-0x000000001B450000-0x000000001B4A0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1556-34-0x00007FFDCAB70000-0x00007FFDCAB71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1556-37-0x0000000002890000-0x00000000028A8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1556-38-0x00007FFDCAB60000-0x00007FFDCAB61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1556-40-0x00000000028B0000-0x00000000028C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1556-62-0x00007FFDACD90000-0x00007FFDAD851000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1556-42-0x00007FFDCAB40000-0x00007FFDCAB41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1556-44-0x000000001B830000-0x000000001B88A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1556-60-0x000000001BD80000-0x000000001BE29000-memory.dmp

      Filesize

      676KB

      Download

    • memory/1556-25-0x0000000000F70000-0x0000000000F71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1556-22-0x0000000000420000-0x0000000000798000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/1556-63-0x00007FFDCB2D0000-0x00007FFDCB38E000-memory.dmp

      Filesize

      760KB

      Download

    • memory/4112-67-0x00007FFDAC840000-0x00007FFDAD301000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4112-82-0x0000000002730000-0x0000000002740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-69-0x0000000002730000-0x0000000002740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-83-0x00007FFDAC840000-0x00007FFDAD301000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4112-73-0x00007FFDCB2D0000-0x00007FFDCB38E000-memory.dmp

      Filesize

      760KB

      Download

    • memory/4112-74-0x00007FFDCAB80000-0x00007FFDCAB81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4112-77-0x00007FFDCAB60000-0x00007FFDCAB61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4112-79-0x00007FFDCAB50000-0x00007FFDCAB51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4112-68-0x0000000002730000-0x0000000002740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-76-0x00007FFDCAB70000-0x00007FFDCAB71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4112-71-0x00007FFDCB2D0000-0x00007FFDCB38E000-memory.dmp

      Filesize

      760KB

      Download

    • memory/4112-81-0x00007FFDCAB40000-0x00007FFDCAB41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4112-84-0x000000001BC60000-0x000000001BD09000-memory.dmp

      Filesize

      676KB

      Download

    • memory/4112-85-0x000000001C150000-0x000000001C2F9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4112-86-0x0000000002730000-0x0000000002740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-87-0x0000000002730000-0x0000000002740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-88-0x00007FFDCB2D0000-0x00007FFDCB38E000-memory.dmp

      Filesize

      760KB

      Download

    • memory/4112-91-0x0000000002730000-0x0000000002740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4112-132-0x000000001C150000-0x000000001C2F9000-memory.dmp

      Filesize

      1.7MB

      Download