Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

uaa.exe

windows7-x64

7

uaa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24/06/2024, 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uaa.exe

  • Size

    144KB

  • MD5

    120cb6528cd6cd5d87c8091b549141e0

  • SHA1

    1274d57af7e11f22361df7807ff5c213585b2aee

  • SHA256

    4107ca25f7228c0aa5407b528fa6d48d10734c4ae72088a78857f77c8e289910

  • SHA512

    58cbbeada86393d285b3a9501c226f98d761bd7ac0de67228af1b2a8586a1b81222f3fe8043f0a7ec5a9431b764634d2e1de98b0dce9bef682287cff76716963

  • SSDEEP

    3072:8ozK+rVoJoikcb81aWZveimww4uc72ZIVu/JMLqllXw5Eec/Gv:8AKAQArZvdJw5JZ6LeA

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uaa.exe
    "C:\Users\Admin\AppData\Local\Temp\uaa.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Users\Admin\AppData\Local\Temp\uaa.exe
      "C:\Users\Admin\AppData\Local\Temp\uaa.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Users\Admin\AppData\Local\Temp\uaa.exe
        "C:\Users\Admin\AppData\Local\Temp\uaa.exe"
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Users\Admin\AppData\Roaming\Zsvzvy.exe
          "C:\Users\Admin\AppData\Roaming\Zsvzvy.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Users\Admin\AppData\Roaming\Zsvzvy.exe
            "C:\Users\Admin\AppData\Roaming\Zsvzvy.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2136
            • C:\Users\Admin\AppData\Roaming\Zsvzvy.exe
              "C:\Users\Admin\AppData\Roaming\Zsvzvy.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2576
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2024
                • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                  8⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:292
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:292 CREDAT:275457 /prefetch:2
                    9⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\ajaaski2144b1ad4syQ.tmp
    Filesize

    3KB

    MD5

    2e1058266ffce954a2c25811eb5bfbb3

    SHA1

    3b449a645a3f34b36bd7baa231df4d675c99daa3

    SHA256

    e09742c8d9f8ed59268bb24bcebd33fe14e36c8665e2c44bf57a8942a0e7e040

    SHA512

    c758a661f9ea0df5b43cd46c5d82ee0f4c0c1743f378fcbcf242ecb8345f855c7967e60856fbfef513bd1f11d81bc5f959b843cf58916ac5e838738dc9131ae9

    Download Submit

  • \Users\Admin\AppData\Roaming\Zsvzvy.exe
    Filesize

    144KB

    MD5

    120cb6528cd6cd5d87c8091b549141e0

    SHA1

    1274d57af7e11f22361df7807ff5c213585b2aee

    SHA256

    4107ca25f7228c0aa5407b528fa6d48d10734c4ae72088a78857f77c8e289910

    SHA512

    58cbbeada86393d285b3a9501c226f98d761bd7ac0de67228af1b2a8586a1b81222f3fe8043f0a7ec5a9431b764634d2e1de98b0dce9bef682287cff76716963

    Download Submit

  • memory/2384-7-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2384-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2384-11-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2384-9-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2384-15-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2384-6-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2384-17-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2384-18-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2384-3-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2576-91-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2576-85-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2628-19-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2628-30-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2628-27-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2628-25-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2628-23-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2628-32-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2628-47-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2628-33-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2628-21-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download