Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ce70dbdd9f...78.exe

windows7-x64

9

ce70dbdd9f...78.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 03:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce70dbdd9f21f9266c6b48ddb0b2663b3d20573d988a2f149b4901e9604ee078.exe

  • Size

    66KB

  • MD5

    eba8f9171e4ce554cf0d80687f159848

  • SHA1

    0a221894b9887cca72067e22f7f254d3ca8b469e

  • SHA256

    ce70dbdd9f21f9266c6b48ddb0b2663b3d20573d988a2f149b4901e9604ee078

  • SHA512

    15b6acefded5c813b7a5eb45fc3ec800ee195847df47167ce8d3ec7e7bb29ed7e8690d92a6c12824bd2d78b4f9062a24654d405c32c23370177c02d7d5988a49

  • SSDEEP

    768:ZrItKyw5WHXfQIhIiIk9ecAaVPD96KyX67:Zr3Z5IfQIR81ad5yX67

Score
9/10
evasion

Malware Config

Signatures

  • Detects Windows executables referencing non-Windows User-Agents 5 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce70dbdd9f21f9266c6b48ddb0b2663b3d20573d988a2f149b4901e9604ee078.exe
    "C:\Users\Admin\AppData\Local\Temp\ce70dbdd9f21f9266c6b48ddb0b2663b3d20573d988a2f149b4901e9604ee078.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\attrib.exe
      attrib +a +s +h +r C:\Windows\Debug\zskhost.exe
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • Views/modifies file attributes
      PID:2948
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CE70DB~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2388
  • C:\Windows\Debug\zskhost.exe
    C:\Windows\Debug\zskhost.exe
    1⤵
    • Executes dropped EXE
    PID:2284

Network

  • flag-us
    DNS
    v9hDnO1rTe.nnnn.eu.org
    zskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    v9hDnO1rTe.nnnn.eu.org
    IN A
    Response
  • flag-us
    DNS
    VpsP4rVzCs.nnnn.eu.org
    zskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    VpsP4rVzCs.nnnn.eu.org
    IN A
    Response
  • flag-us
    DNS
    5VZappybQa.nnnn.eu.org
    zskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    5VZappybQa.nnnn.eu.org
    IN A
    Response
  • flag-us
    DNS
    fhHm6JSjo.nnnn.eu.org
    zskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    fhHm6JSjo.nnnn.eu.org
    IN A
    Response
  • flag-us
    DNS
    FNSxsHRqu2.nnnn.eu.org
    zskhost.exe
    Remote address:
    8.8.8.8:53
    Request
    FNSxsHRqu2.nnnn.eu.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    v9hDnO1rTe.nnnn.eu.org
    dns
    zskhost.exe
    68 B
     118 B
     1
    1

    DNS Request

    v9hDnO1rTe.nnnn.eu.org

  • 8.8.8.8:53
    VpsP4rVzCs.nnnn.eu.org
    dns
    zskhost.exe
    68 B
     118 B
     1
    1

    DNS Request

    VpsP4rVzCs.nnnn.eu.org

  • 8.8.8.8:53
    5VZappybQa.nnnn.eu.org
    dns
    zskhost.exe
    68 B
     118 B
     1
    1

    DNS Request

    5VZappybQa.nnnn.eu.org

  • 8.8.8.8:53
    fhHm6JSjo.nnnn.eu.org
    dns
    zskhost.exe
    67 B
     117 B
     1
    1

    DNS Request

    fhHm6JSjo.nnnn.eu.org

  • 8.8.8.8:53
    FNSxsHRqu2.nnnn.eu.org
    dns
    zskhost.exe
    68 B
     118 B
     1
    1

    DNS Request

    FNSxsHRqu2.nnnn.eu.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Debug\zskhost.exe
    Filesize

    66KB

    MD5

    66ada2f0a68bec89cfff757bf638a92f

    SHA1

    030adcc773bc6e1a46686fd5d96e47251f996880

    SHA256

    eab42393d98dc244691762aae9c7041fad0f3fa663296e3c05c64498334c182b

    SHA512

    93046606327906c3d37e92d39eee6d74f395b13942736c0a5e993aed2737b150794c58e0b2f877bb328b943f221a017d6187eebf96b859c97e41790cd9b2ab06

    Download Submit

  • memory/2232-0-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2232-6-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2284-5-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2284-7-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.