Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cf37e1644e...5d.exe

windows7-x64

10

cf37e1644e...5d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24/06/2024, 02:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe

  • Size

    3.2MB

  • MD5

    6f2b9a4c2e69d96b0f275d22060fb904

  • SHA1

    d79b1a0b9deec643eb821a38702c8a5d605e0b6d

  • SHA256

    cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d

  • SHA512

    4d7cf4153152856a08bfd73fdc5e964ee57383b9e7d58169c576ed216b3adca0d85c650235e6f955817f9c0de21bd61f232c2e2b019d4b84d726687e406771b9

  • SSDEEP

    98304:5Y8WV9nEF+oi9oYGVo7SROk/BznpU6jcja4Q2B:5YRVu9i9oYGvOkV+wc

Score
10/10
evasionexecutiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
    "C:\Users\Admin\AppData\Local\Temp\cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2124
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1800
      • C:\Windows\SysWOW64\net.exe
        net stop WinDefend
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop WinDefend
          3⤵
            PID:2692
        • C:\Windows\SysWOW64\sc.exe
          sc delete WinDefend
          2⤵
          • Launches sc.exe
          PID:2872

      Network

      • flag-us
        DNS
        www.indexrapido10.com.br
        cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
        Remote address:
        8.8.8.8:53
        Request
        www.indexrapido10.com.br
        IN A
      • flag-us
        DNS
        www.indexrapido10.com.br
        cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
        Remote address:
        8.8.8.8:53
        Request
        www.indexrapido10.com.br
        IN A
      • flag-us
        DNS
        www.indexrapido10.com.br
        cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
        Remote address:
        8.8.8.8:53
        Request
        www.indexrapido10.com.br
        IN A
      • flag-us
        DNS
        www.indexrapido10.com.br
        cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
        Remote address:
        8.8.8.8:53
        Request
        www.indexrapido10.com.br
        IN A
      • flag-us
        DNS
        www.indexrapido10.com.br
        cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
        Remote address:
        8.8.8.8:53
        Request
        www.indexrapido10.com.br
        IN A
      • 177.70.125.207:3100
        cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
        152 B
         3
      • 8.8.8.8:53
        www.indexrapido10.com.br
        dns
        cf37e1644eb9c9ed2205921adfe160a3ae8b24c7b119e7f77846463752b17f5d.exe
        350 B
         5

        DNS Request

        www.indexrapido10.com.br

        DNS Request

        www.indexrapido10.com.br

        DNS Request

        www.indexrapido10.com.br

        DNS Request

        www.indexrapido10.com.br

        DNS Request

        www.indexrapido10.com.br

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2124-0-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2124-2-0x0000000000400000-0x0000000000737000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/2124-3-0x0000000000400000-0x0000000000737000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/2124-4-0x0000000000230000-0x0000000000231000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2124-6-0x0000000000400000-0x0000000000737000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/2124-7-0x0000000000400000-0x0000000000737000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/2124-9-0x0000000000400000-0x0000000000737000-memory.dmp

        Filesize

        3.2MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.