Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2a25e42aad...bc.exe

windows7-x64

9

2a25e42aad...bc.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a25e42aadccedc4589fec26d46f3c98fbd9368561952d386e6b80c592770abc.exe

  • Size

    102KB

  • MD5

    12fec7bccf4056d35aee966085764c93

  • SHA1

    0fe4c017095fe5443949dd452de5fd47c116a04c

  • SHA256

    2a25e42aadccedc4589fec26d46f3c98fbd9368561952d386e6b80c592770abc

  • SHA512

    950b25f81a4af1cc6eecafc5a5e6d1071bb58df484309464ef3395a4a91f0db3594c0da74dd025af7a752d4074a96fdefecc4935873c38ca2b65e81ed124a682

  • SSDEEP

    3072:xFphTfm1UC7AdYzrV+Dljy/32ubwZZqJ:FhTfmuCkdYzrVolu/J0ZZ

Score
9/10
persistenceupx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 12 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a25e42aadccedc4589fec26d46f3c98fbd9368561952d386e6b80c592770abc.exe
    "C:\Users\Admin\AppData\Local\Temp\2a25e42aadccedc4589fec26d46f3c98fbd9368561952d386e6b80c592770abc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Users\Admin\AppData\Local\Temp\2a25e42aadccedc4589fec26d46f3c98fbd9368561952d386e6b80c592770abc.exe
      "C:\Users\Admin\AppData\Local\Temp\2a25e42aadccedc4589fec26d46f3c98fbd9368561952d386e6b80c592770abc.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQROX.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
          4⤵
          • Adds Run key to start application
          PID:4452
      • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
        "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4224
        • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
          "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
          4⤵
          • Executes dropped EXE
          PID:4512
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:8
    1⤵
      PID:2560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BQROX.txt
      Filesize

      157B

      MD5

      f6a90c20834f271a907a4e2bc28184c2

      SHA1

      36c9d1602b74f622346fbb22693597d7889df48d

      SHA256

      73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

      SHA512

      39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      Filesize

      102KB

      MD5

      74e1fcf3a958d3f797a74658b144d19b

      SHA1

      6db4481921036c98a9fff9f532d543181e68b08f

      SHA256

      24bb195e7a2ce60fc80572f1aa66456ea9c97e9a05447e210d9691fb59ee396b

      SHA512

      3a18519225ce8e7795c0bd9301f246675f44c63c9eb1e76ef4f8ef2f24040aec68532730d65127ba3412e65682abbd63dfe439654fd4d1f95e5e5c6ab33374da

      Download Submit

    • memory/2156-52-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/2156-42-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/2156-36-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/2452-55-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2452-3-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2452-39-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2452-53-0x0000000000410000-0x00000000004D9000-memory.dmp

      Filesize

      804KB

      Download

    • memory/2452-10-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2452-9-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2464-8-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2464-6-0x0000000002310000-0x0000000002311000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2464-0-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/2464-7-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2464-13-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/4224-59-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4512-47-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4512-50-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4512-48-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4512-45-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download

    • memory/4512-60-0x0000000000400000-0x0000000000417000-memory.dmp

      Filesize

      92KB

      Download