Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0c65d9ab75...cc.exe

windows7-x64

10

0c65d9ab75...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 21:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c65d9ab75e7aa8dcf94cb642500b0cc.exe

  • Size

    108KB

  • MD5

    0c65d9ab75e7aa8dcf94cb642500b0cc

  • SHA1

    c2966be8bd1c8aa1153671e29a44a37b3fd81a09

  • SHA256

    a696374793e0dd73d04bb3d38ec1c8ef548cb374f7343a0cf6e21609417917b0

  • SHA512

    94d060798b0b0cae8948f013948fd5fae764d6b10fbd9fc4f64a6ea927cf9235438b760f73c02bcdc7f34222eec710b455bef0ac8f6f2b3b179df66fab4f2e24

  • SSDEEP

    3072:zZsAH+Nu92R2hTFkV/2C5ruvq2FcFmKcUsvKwF:ztHpUR2x6o0rIqGUs

Score
10/10
persistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c65d9ab75e7aa8dcf94cb642500b0cc.exe
    "C:\Users\Admin\AppData\Local\Temp\0c65d9ab75e7aa8dcf94cb642500b0cc.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\SysWOW64\Nkcmohbg.exe
      C:\Windows\system32\Nkcmohbg.exe
      2⤵
      • Executes dropped EXE
      PID:2548
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 336
        3⤵
        • Program crash
        PID:4488
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2548 -ip 2548
    1⤵
      PID:1204

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Nkcmohbg.exe
      Filesize

      108KB

      MD5

      c2fe078be93922e0b1603d682345fabc

      SHA1

      557544f75dffe4ad321bd8918bdc1ac0404da8d4

      SHA256

      9e762b9ed38cb6529c32027000a474bbcfa80df76ab05920f96f6bd879e4e98b

      SHA512

      8bd8a98b5aec6e9123b2366ce36c5671744b0fc6a4536c6bb5088733d41402d82ba872f9c09e3d0fbb1c64683a4c552a921ec2bb21e678ff514572ee9cd216b3

      Download Submit

    • memory/2548-8-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2548-11-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2596-0-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2596-12-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download