Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

5

ac075628b6...52.exe

windows11-21h2-x64

7

ac075628b6...52.exe

windows7-x64

7

ac075628b6...52.exe

windows10-1703-x64

7

ac075628b6...52.exe

windows10-2004-x64

7

ac075628b6...52.exe

windows11-21h2-x64

7

Resubmissions

17/04/2024, 08:54

240417-kt955aad45 7

17/04/2024, 08:54

240417-kt9jlaad44 7

17/04/2024, 08:54

240417-kt8masad42 7

17/04/2024, 08:54

240417-kt8bjabh6x 7

17/04/2024, 08:54

240417-kt7p1abh6w 7

17/04/2024, 06:26

240417-g7dsashd8w 7

Analysis

  • max time kernel
    152s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac075628b6cdb15172f6a76f0d3331316934e09cf0f0bd3a94c0e5e23b02a352.exe

  • Size

    14.1MB

  • MD5

    ca8759c6ed97044b07af776617d63e60

  • SHA1

    8d9c7a6ae0d7b04965881640f890fb824e17aa15

  • SHA256

    ac075628b6cdb15172f6a76f0d3331316934e09cf0f0bd3a94c0e5e23b02a352

  • SHA512

    8c90dbb2d346c52d6c0a2a34df3fa4258c573df654a57e9a2d1304b55e770a18f9ff8d7c5006e9ec3e3890e27723516ada82d10429666d3985dabe6ce2166c36

  • SSDEEP

    196608:zCKlOXcCT0AdpHeFsfghvbxyUPbHjTV2JOogd3dB3q91okxWeOZSzsvwQv/bUYLH:WSuQsoNxDV6oNr3qoL3Zy6wQvjUeWw

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 8 IoCs
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac075628b6cdb15172f6a76f0d3331316934e09cf0f0bd3a94c0e5e23b02a352.exe
    "C:\Users\Admin\AppData\Local\Temp\ac075628b6cdb15172f6a76f0d3331316934e09cf0f0bd3a94c0e5e23b02a352.exe"
    1⤵
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3328
    • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
        3⤵
        • Creates scheduled task(s)
        PID:1608
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck80104
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
        7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1844
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3636
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4860
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck80104
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\32.exe
      Filesize

      5.3MB

      MD5

      af0b891498a9ad773bdb921cecb9006b

      SHA1

      5c053026bb809b90b45a35832cf20a9354c05e28

      SHA256

      df0c75176daf725fb756d15658bfbc60e3d874f62408e592d78232a0d22b5cfd

      SHA512

      9303125d975843d0f7faceb575873e41a814488c5938cd0caeafb7c9870fa562c04cbe482f6d9cb27dcb0d3412ddba897030cc2356660396ddff1c839ddc2a9f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\64.exe
      Filesize

      7.2MB

      MD5

      211f02e41dac48e00425276ecacfb4aa

      SHA1

      1f14aa92dcf21c82d20b953b42e18c46cf430dba

      SHA256

      193276f5205f9e85066726c045ce1277059ff095ac21bc0801c4b95960898845

      SHA512

      03e0bfb1cc8b09d3601bb5612622a4e79943077c22accad53d04fba441747bcd6ca2e58e3f161a2249f03bec84fadf3c1def263acc3be3ab3c8e5fe9a96c7975

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      Filesize

      722KB

      MD5

      43141e85e7c36e31b52b22ab94d5e574

      SHA1

      cfd7079a9b268d84b856dc668edbb9ab9ef35312

      SHA256

      ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

      SHA512

      9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
      Filesize

      5.3MB

      MD5

      ceaccc21cc877a85ee8ec6c0e5c32072

      SHA1

      a83666523d424c40d2c85e1e000015694ea36872

      SHA256

      448343d3ca348281fa23d0f39a4309e9cb4e4f1307feac7f880a3aea7f742b7c

      SHA512

      a87ea86d321f2e2c78d26d49d1f8b278ca1f838cdef34ff0f8f63d9dab5fbad38f6d43d1e902d3f4f030cfd136e8b1aba23ec5aca68bac492d2215ccf8f96ea2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
      Filesize

      2KB

      MD5

      9160347bec74471e1a79edfd950629ae

      SHA1

      c149a7e5aab6e349a70b7b458d0eaaa9d301c790

      SHA256

      0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

      SHA512

      b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\autF7AE.tmp
      Filesize

      5.8MB

      MD5

      7b8e09c52b4e05c1e797470c246dc92f

      SHA1

      7d075834d09ea1f726f35b4aae96de794551608b

      SHA256

      98b615f572d6e4e43ed19711890f97cf2dc0848bfc3eb085e61a8c78ac0cb826

      SHA512

      9195e1a31465f2bb77f21c21aeb4a4e4f590045af7d78fbb220ced150652bc7d036cd6aee32232fdd62a517ee14cb507fd878148e68ccb3fc6cc7a91e3883e58

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      Filesize

      6.3MB

      MD5

      6425013ca5cc69b6e2aae300cf41c045

      SHA1

      ddebed5f736eda4befd275887d54af42d8d0263e

      SHA256

      8838c825cfb375a3d01a5dabb3c2f4b3cb501b0c9dd3b4059019e11038932c7b

      SHA512

      e54ff13062c4732565d77c88b940c3198ff4bc3392f77732a3089b3ac17ffcd2204153eedca1d3b30e10a2fd30c8b7eafbb8508f87d7a480fc8a756cb1dafa8f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      Filesize

      5.8MB

      MD5

      1b60237dcbe0fbadfb8957ada8ad186f

      SHA1

      64e62a3ffde2cc311d3e51221c420fc9fca87712

      SHA256

      808e20e96028e8fde9ca10d6467662ed475c2bdf857e9b7658773a8f664d0873

      SHA512

      8d345bdd6f64c2bfd2a1a7559e4ab2bb93879fccfad1f757ad40ee9321261388067b0bad9750c0a3b01b3bb7f5b89a2d40f086d3c25945ef11363f9a83041458

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp
      Filesize

      2.1MB

      MD5

      4cd3f07fef4d2d847f9cbba628e8edb8

      SHA1

      bb901200c646be4bd215f713f9df9a965517dd13

      SHA256

      3925bef7666a8c8d8d3ab3a15733f7b64d4297741006348d25a703c338389e04

      SHA512

      cf0b29a45f499ed67ec639df591cd9b8ff592e91934d7e6957caaf6ed3c24b751a9885f854616bf3813898b73b253cb054f66540575ba3c19fa18c303de99e83

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\LIBEAY32.dll
      Filesize

      2.5MB

      MD5

      b57e3160f18f33dc9f69ec4ac83f8b0d

      SHA1

      651d39de229ce63ff85fba1d4ba3408bd93d8537

      SHA256

      c09d060e4f78e25bf6e27a6ac790871ac2eb87d8f18eb9f2dff8c7ac9c8d6330

      SHA512

      4e00f998151d81c05325b3537c9a4ff87279d96a7205f267cd5c1cbe78f460aad82ce98c868d4a63c6dae3812810614f4ea340051dd646aecb5f67a5b12deff4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new
      Filesize

      20.2MB

      MD5

      a0959cdf4f326b33fa0dbac9750e8c96

      SHA1

      0715f223d077b054bb3fe0a1bda5ed87fd4cea59

      SHA256

      01d953381f393825125923879c8befa761d4ab4dd00a8aa25b2299876df89dc8

      SHA512

      d6f8159d9e785eacd859e2934dc701f2a3c893fb22e06383741d41448a48e78db82eaf0d7b6b546fef296dfcb38dea145f3cfc621ca39dca1ab116b3c5806ec0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig
      Filesize

      201B

      MD5

      b9d2fe9cfa840518fa39039c928d4938

      SHA1

      0561516b7cfa784cf400349983817c8b18817256

      SHA256

      69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

      SHA512

      894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-6.dll
      Filesize

      840KB

      MD5

      52dc140cbb14e2154e9087ecbc8cdc28

      SHA1

      68a2c92e99a283a67b898fd3208c19160cd36617

      SHA256

      b946b94a6abec862e0685327f76f5f55ed690268c4cd3ceb4018acd6e0e12d6e

      SHA512

      4dc2bd64cfcf4fce6f2030b2077df212da260d89505f16e71e1f06eae7d45437831c34e4de6c1d24ae0b02ca142e261eb363b495595cfd6e404d2304c403ebb0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_sjlj-1.dll
      Filesize

      967KB

      MD5

      286cdf5fdb6414f3e0508c446af62c30

      SHA1

      394d333371cad5735f09ed8bed128448b1b965ea

      SHA256

      481c13cf972fafa748486fbbd0366a44babaeabd19ba56e691bb3a064c653153

      SHA512

      9ffe9f6d881df0b6a35e9cc7636b64097196102115d9451dd4db71d22fb37ccedfe32879952cd979f85247bb8168f9df95af18dc0eba478deafb2301a6b24c1c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll
      Filesize

      272KB

      MD5

      606110186930c205e48942975a851ca4

      SHA1

      d2b7a21bd55a035e2a7813eccc9e33f5f7815823

      SHA256

      33115d4f22517c23939d8f8ab65bbb35cccb5d463ba81b44623e3cb57c8867f7

      SHA512

      3b00c7fecdbaec3fced8f8ecb2b0351d406a3d0a461011140f60d9e1e52afcef3b92baa8c1079ce01716ba266a975c0f54e16f282bf4cf97fafa2e0164c0245c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll
      Filesize

      499KB

      MD5

      40a7215c1bd90c1da72b1d4e139f1821

      SHA1

      9106d6140ceec25059c6fd8bbead9005346c88a9

      SHA256

      c115d1a52cd1e848969928a07dbc5312c53c10380bf44a7cdd82a31d5f37404e

      SHA512

      11d1b8a704d02b413822a2bdf8f0c9ea4e5a72509484e1ce96033b226ffb6ef3bdfed0bb05ea3c2396bc7543d9fa0d1f04169277deeeb341186e2ae9de500019

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\ssleay32.dll
      Filesize

      769KB

      MD5

      6536e58d90b2e9ded05097163d81642c

      SHA1

      ce1b8e8db12a8bc5de1eba1f25a02e4e2e9ac22a

      SHA256

      e6093fe75346ec927fe3f0eb79ea0d331a3b0493267d488018c8693c9cef9252

      SHA512

      8a766313525cd4268a27843daf588adbbb5ea7476fe0c2c33321ec2e5d9219d6fa335c8f8dcfbb073578631d032416d8ccf7bfa4a7fd89031314bbc981feefea

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      Filesize

      3.6MB

      MD5

      6b179fa8138ae6135d194f19c93e38af

      SHA1

      0a18edd6b76ff09b6132be574caa4502d8ef4d03

      SHA256

      c3d44f93c33999447dc2c1a7197e14ad5278116a5c42b770e974c172162ce963

      SHA512

      f84235149adbbd0b6bcd364b6692f772411e23db80559ceb193252e3e0b4d64de289bff82c23364e998c12168373fa1a5b625d5e85eb3e954f6d1f7db14f95b2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll
      Filesize

      105KB

      MD5

      7b7f33f2d84c9cfbfdd0f755140d2bbf

      SHA1

      98b084b1f3f2637fad742ce497659c052ce1e310

      SHA256

      6d2c002ba600b97e0d514166bcf33667553f41fcbd73e2cd87baef74d4c6f060

      SHA512

      66e8540a4da9c248980096d20a368458a221facb47a353907da636e39bbad9dd3fb70679b8d7cf6b1d6b3d0ffad3ac8b29148c9998fbdbdbb217c1597c839708

      Download Submit

    • memory/1844-38-0x000001995F320000-0x000001995F443000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1844-63-0x000001995F320000-0x000001995F443000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1844-40-0x000001995F320000-0x000001995F443000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1844-35-0x000001995F320000-0x000001995F443000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3328-23-0x00000000052A0000-0x00000000052A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3328-25-0x00000000052F0000-0x00000000052F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3328-26-0x0000000005D50000-0x0000000005D51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3636-87-0x0000000075580000-0x0000000075627000-memory.dmp

      Filesize

      668KB

      Download

    • memory/3636-114-0x00000000001A0000-0x0000000000548000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3636-90-0x00000000001A0000-0x0000000000548000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3636-88-0x00000000001A0000-0x0000000000548000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3636-84-0x00000000757A0000-0x000000007585D000-memory.dmp

      Filesize

      756KB

      Download

    • memory/3636-83-0x0000000075630000-0x0000000075651000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3636-82-0x0000000075630000-0x0000000075651000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3636-86-0x0000000075370000-0x000000007557B000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3636-99-0x00000000001A0000-0x0000000000548000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3636-103-0x0000000064B40000-0x0000000064BBE000-memory.dmp

      Filesize

      504KB

      Download

    • memory/3636-106-0x0000000075370000-0x000000007557B000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3636-105-0x0000000075580000-0x0000000075627000-memory.dmp

      Filesize

      668KB

      Download

    • memory/3636-102-0x0000000075660000-0x000000007574A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/3636-101-0x0000000075750000-0x0000000075799000-memory.dmp

      Filesize

      292KB

      Download

    • memory/3636-100-0x00000000757A0000-0x000000007585D000-memory.dmp

      Filesize

      756KB

      Download

    • memory/3636-89-0x0000000075580000-0x0000000075627000-memory.dmp

      Filesize

      668KB

      Download

    • memory/3636-121-0x0000000075370000-0x000000007557B000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3636-85-0x00000000757A0000-0x000000007585D000-memory.dmp

      Filesize

      756KB

      Download

    • memory/3636-128-0x00000000001A0000-0x0000000000548000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3636-138-0x00000000001A0000-0x0000000000548000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3636-145-0x0000000075370000-0x000000007557B000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3636-156-0x0000000075370000-0x000000007557B000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3636-149-0x00000000001A0000-0x0000000000548000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3636-157-0x00000000001A0000-0x0000000000548000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3636-164-0x0000000075370000-0x000000007557B000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3636-169-0x00000000001A0000-0x0000000000548000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3636-176-0x0000000075370000-0x000000007557B000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3636-180-0x00000000001A0000-0x0000000000548000-memory.dmp

      Filesize

      3.7MB

      Download

    • memory/3636-187-0x0000000075370000-0x000000007557B000-memory.dmp

      Filesize

      2.0MB

      Download