Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

92dd0213c6...40.exe

windows7-x64

1

92dd0213c6...40.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2024, 00:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe

  • Size

    216KB

  • MD5

    2301a9913e02067864f513ac01e2794e

  • SHA1

    cfc9e56f525cf3f82edfdadfe4fe210a76b76ef6

  • SHA256

    92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40

  • SHA512

    6316cd658aa6194cc860e21f8ccd36d269bc97e40e1222a5445235e683b3f34a53decdb949f197dd0386718ef04e06063a22228dc86228bd86450f5a587c0a91

  • SSDEEP

    3072:f56VkkgUgXC7AdYzrV+Dljy/32ubwZ/qJH:oUFCkdYzrVolu/J0Z/O

Score
9/10
persistenceupx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe
    "C:\Users\Admin\AppData\Local\Temp\92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Users\Admin\AppData\Local\Temp\92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe
      "C:\Users\Admin\AppData\Local\Temp\92dd0213c6860034985afc09aadec1a3f008ef7b040e5d690d6a9b19c871be40.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSTQL.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
          4⤵
          • Adds Run key to start application
          PID:884
      • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
        "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3392
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5068
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          PID:4956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DSTQL.txt
    Filesize

    157B

    MD5

    f6a90c20834f271a907a4e2bc28184c2

    SHA1

    36c9d1602b74f622346fbb22693597d7889df48d

    SHA256

    73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

    SHA512

    39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    Filesize

    216KB

    MD5

    faed327a286e2e11654ef849054bd00b

    SHA1

    d36155843ea46a283dfb62116a723a01673bfbaa

    SHA256

    b2db1c349adc6ae0057228f92e1ccd0779cc98d53bc34ae489e25cc532db0719

    SHA512

    0f727742e36e3a27b3bebe2fc91e50cb6e71f4f0afdd6919ea80cca0b0051fe37262e27ed7f210b58c47d3a8fc543e68446246cc0041fa54d6004a24d756b7b4

    Download Submit

  • memory/2884-39-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2884-9-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2884-3-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2884-51-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2884-7-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3392-49-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3392-32-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3392-42-0x0000000002970000-0x0000000002971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3392-43-0x00000000029B0000-0x00000000029B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3456-6-0x00000000024F0000-0x00000000024F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3456-8-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3456-4-0x0000000002470000-0x0000000002471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3456-0-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4956-46-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4956-47-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4956-41-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4956-52-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4956-55-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4956-61-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/4956-67-0x0000000000400000-0x0000000000417000-memory.dmp

    Filesize

    92KB

    Download

  • memory/5068-54-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download