Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

53718543d4...8b.exe

windows7-x64

8

53718543d4...8b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    67s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2024, 21:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53718543d44ab893cb34ddd54af305beadcabf1d3e96b3fb143c4dc059d8e08b.exe

  • Size

    5.5MB

  • MD5

    4d40c8a9062a9c898b75b032783ce470

  • SHA1

    bdb03f2940bb74143248dc6ab5c23e470c3d95e0

  • SHA256

    53718543d44ab893cb34ddd54af305beadcabf1d3e96b3fb143c4dc059d8e08b

  • SHA512

    dbf358549c0e9a6242ce2d9889f72e03e0256da44e9fa83d2af9edbe2658c033814c8efa19bc62d4c91afe21607c4991527c1d023ff6a6059c7d6b9ab4b916ce

  • SSDEEP

    98304:oseHlHdc5b9dXLVi2xIb7S1fw7pXyZ7oz0R5uz0rbJagkW7kOLIx1qxz8hjFrZBr:Bem17h10XvwPhagz7q2wNPQ00M

Score
8/10
persistence

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 6 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53718543d44ab893cb34ddd54af305beadcabf1d3e96b3fb143c4dc059d8e08b.exe
    "C:\Users\Admin\AppData\Local\Temp\53718543d44ab893cb34ddd54af305beadcabf1d3e96b3fb143c4dc059d8e08b.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      2⤵
        PID:2336
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\123.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:380
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:932
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:4580
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:1372
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c assoc .txt = exefile
        2⤵
        • Modifies registry class
        PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\53718543d44ab893cb34ddd54af305beadcabf1d3e96b3fb143c4dc059d8e08b.exe
        2⤵
        • Modifies system executable filetype association
        • Modifies registry class
        PID:224
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\53718543d44ab893cb34ddd54af305beadcabf1d3e96b3fb143c4dc059d8e08b.exe
        2⤵
        • Modifies registry class
        PID:4684
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\53718543d44ab893cb34ddd54af305beadcabf1d3e96b3fb143c4dc059d8e08b.exe
        2⤵
        • Modifies registry class
        PID:3008
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\53718543d44ab893cb34ddd54af305beadcabf1d3e96b3fb143c4dc059d8e08b.exe
        2⤵
        • Modifies registry class
        PID:1952

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\123.bat
      Filesize

      443B

      MD5

      70170ba16a737a438223b88279dc6c85

      SHA1

      cc066efa0fca9bc9f44013660dea6b28ddfd6a24

      SHA256

      d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a

      SHA512

      37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

      Download Submit

    • C:\Program Files\7-Zip\7zFM.exe
      Filesize

      5.5MB

      MD5

      eb29d6349782c2babc7873bb6cd779bf

      SHA1

      bd3f0d926a6a091e295f6aa619660b54e9db8b8a

      SHA256

      7c5c90471267664b128c1455d10edadaa6d747683064c2ff0960e731c5dcb26c

      SHA512

      ff190703684f97c51242ccbf5cb3f5c58a9bde0e7d6a474b1d96c07d848f514fcaf5ec914bafb7486ab310a0f0d8ff1f79de5b60e84c8d27c3c7cbd3e3141b9c

      Download Submit

    • memory/3784-0-0x0000000000400000-0x0000000000C94000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/3784-4-0x0000000000400000-0x0000000000C94000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/3784-2-0x0000000000400000-0x0000000000C94000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/3784-1-0x00000000028B0000-0x00000000028B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3784-1025-0x0000000000400000-0x0000000000C94000-memory.dmp

      Filesize

      8.6MB

      Download