Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

20bf75ec79...12.exe

windows7-x64

7

20bf75ec79...12.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2024, 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20bf75ec79b517943833f117a12421ff8b31cd4dd1c818f463bb35f0e1753c12.exe

  • Size

    204KB

  • MD5

    75f8ce733b4af79554b4b84c643980ad

  • SHA1

    4531f769404ed38bdf19195a1354e4a0ac8b4064

  • SHA256

    20bf75ec79b517943833f117a12421ff8b31cd4dd1c818f463bb35f0e1753c12

  • SHA512

    b35e4ab5a9d48fb71c8e66d225b4613c4ed0dddf765f6884faeefea03412a1b0ae65c0dfb16cbd247371a182100b2e1f9dffbbfd7b70b06ecc91f20a41cc326d

  • SSDEEP

    3072:UdGaTPrrIGvvyy8dHSi+OcGMrOpOVKdOyMbkrWRdg+E2uEPczTinJhV+p9GEVFU/:OGazIc6TVBMrOpzeJEsuirSGEMpgE

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20bf75ec79b517943833f117a12421ff8b31cd4dd1c818f463bb35f0e1753c12.exe
    "C:\Users\Admin\AppData\Local\Temp\20bf75ec79b517943833f117a12421ff8b31cd4dd1c818f463bb35f0e1753c12.exe"
    1⤵
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\apppatch\svchost.exe
      "C:\Windows\apppatch\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\apppatch\svchost.exe
    Filesize

    204KB

    MD5

    c272d827f33ff53faecdabba68ec4045

    SHA1

    074b64b71d4fcdb938354a3fa9235391bfed849f

    SHA256

    09a450b9eb4931904d00881d6bcc298085bde79d5901e1aaf7de16f73dfc24c8

    SHA512

    9b6bf8e496eceb076d6110631f2b3d1434b2249c8ff4111159cd0d197cfad61405b2deb710db1d1c44cef28cec5a7a93b24ee7b4ab9e82e701508385ed209e58

    Download Submit

  • memory/1296-0-0x00000000021D0000-0x0000000002222000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1296-1-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/1296-15-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/1296-14-0x00000000021D0000-0x0000000002222000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1508-16-0x0000000002470000-0x000000000251A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/1508-17-0x0000000002C40000-0x0000000002CF7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/1508-21-0x0000000002C40000-0x0000000002CF7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/1508-19-0x0000000002C40000-0x0000000002CF7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/1508-22-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download