Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

10dfd1f737...b3.exe

windows7-x64

9

10dfd1f737...b3.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21/04/2024, 18:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10dfd1f7378c8a904b09564b07b62e86381378e73ca7679b7f1c9da678dc36b3.exe

  • Size

    102KB

  • MD5

    1fee2a8c022416cf800a9b48ce879f7b

  • SHA1

    3dc5f2f5edaf694bdf5fe5dec96b51b2f26609f1

  • SHA256

    10dfd1f7378c8a904b09564b07b62e86381378e73ca7679b7f1c9da678dc36b3

  • SHA512

    9a835e1fb1bce45cd4f7d465cebc335430aa16c06bccd9b4300a67f384863be2b6353fef5d52bf3fdf0e69466b679821fb37fa47f48af57b47780c165d74d1eb

  • SSDEEP

    1536:lDcfLfIb5EpvuzgyXVdtnfHNWnnn6maaaBrrrmQOvvvM:lD2LTZuzgyXVd1veaaaz

Score
9/10
evasion

Malware Config

Signatures

  • Detects Windows executables referencing non-Windows User-Agents 5 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\10dfd1f7378c8a904b09564b07b62e86381378e73ca7679b7f1c9da678dc36b3.exe
    "C:\Users\Admin\AppData\Local\Temp\10dfd1f7378c8a904b09564b07b62e86381378e73ca7679b7f1c9da678dc36b3.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\SysWOW64\attrib.exe
      attrib +a +s +h +r C:\Windows\Debug\zskhost.exe
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:3016
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\10DFD1~1.EXE > nul
      2⤵
      • Deletes itself
      PID:1364
  • C:\Windows\Debug\zskhost.exe
    C:\Windows\Debug\zskhost.exe
    1⤵
    • Executes dropped EXE
    • Checks processor information in registry
    PID:784

Network

  • flag-us
    DNS
    www.baidu.com
    zskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.baidu.com
    IN A
    Response
    www.baidu.com
    IN CNAME
    www.a.shifen.com
    www.a.shifen.com
    IN CNAME
    www.wshifen.com
    www.wshifen.com
    IN A
    103.235.46.40
  • flag-hk
    DNS
    zskhost.exe
    Remote address:
    103.235.46.40:80
    Response
    HTTP/1.1 400 Bad Request
  • flag-us
    DNS
    kZnDzdedlU.nnnn.eu.org
    zskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    kZnDzdedlU.nnnn.eu.org
    IN A
    Response
  • flag-us
    DNS
    kZnDzdedlU.nnnn.eu.org
    zskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    kZnDzdedlU.nnnn.eu.org
    IN A
  • flag-us
    DNS
    kZnDzdedlU.nnnn.eu.org
    zskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    kZnDzdedlU.nnnn.eu.org
    IN A
  • flag-us
    DNS
    RyFbTHXKcO.nnnn.eu.org
    zskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    RyFbTHXKcO.nnnn.eu.org
    IN A
    Response
  • flag-us
    DNS
    1eQmEl0wqc.nnnn.eu.org
    zskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    1eQmEl0wqc.nnnn.eu.org
    IN A
    Response
  • 103.235.46.40:80
    www.baidu.com
    http
    zskhost.exe
    772 B
     428 B
     10
    9

    HTTP Response

    400
  • 8.8.8.8:53
    www.baidu.com
    dns
    zskhost.exe
    59 B
     128 B
     1
    1

    DNS Request

    www.baidu.com

    DNS Response

    103.235.46.40

  • 8.8.8.8:53
    kZnDzdedlU.nnnn.eu.org
    dns
    zskhost.exe
    204 B
     118 B
     3
    1

    DNS Request

    kZnDzdedlU.nnnn.eu.org

    DNS Request

    kZnDzdedlU.nnnn.eu.org

    DNS Request

    kZnDzdedlU.nnnn.eu.org

  • 8.8.8.8:53
    RyFbTHXKcO.nnnn.eu.org
    dns
    zskhost.exe
    68 B
     118 B
     1
    1

    DNS Request

    RyFbTHXKcO.nnnn.eu.org

  • 8.8.8.8:53
    1eQmEl0wqc.nnnn.eu.org
    dns
    zskhost.exe
    68 B
     118 B
     1
    1

    DNS Request

    1eQmEl0wqc.nnnn.eu.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Debug\zskhost.exe
    Filesize

    102KB

    MD5

    700c431a7dbf7a6c506528c395992813

    SHA1

    f13d09985a4d0623c70b051b642579aa9bdfc2a4

    SHA256

    aa9cec686617af48b0cfc09d2c956e1fb7c773976b5bb805e438575039505773

    SHA512

    79e49fcfb2c095bbd49be2cd6b8df5a12d4de2fa64de8bfb21d9684d75771f65d5706fa7baaacd0d95c4e49c4af35b4f291824232afcb862d59aa7e04afd899c

    Download Submit

  • memory/784-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/784-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2140-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2140-6-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.