Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

WinRunner.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2024, 23:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WinRunner.exe

  • Size

    9.8MB

  • MD5

    338623a05b7251b1f7e0c62383f723c1

  • SHA1

    d0c1744ea6917d01599d819ec6d311bcc9351b7c

  • SHA256

    a06acb4bd2c4d0a24f507c3d8dd28ecda5afa8688cd89a9749898ce6526cdac9

  • SHA512

    99fae6e4088d7f97f7430352e1453c059b9b4fd07b6e6c7911ac0a6e40882cdf6adfc277ffee93d1a41112a33591af6106387e41cf07d32742c73f411d5da6d2

  • SSDEEP

    196608:ICK5S/q7HDChf1CPwDvt3uFADCPrCGfeCcr+CK5S/q7HDChf1CPwDvt3uFADCXrc:ICK5S/qzDCt1CPwDvt3uFOCGGfeCcr+E

Score
1/10

Malware Config

Signatures

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WinRunner.exe
    "C:\Users\Admin\AppData\Local\Temp\WinRunner.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\$TMP~.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\system32\where.exe
        where ncat
        3⤵
          PID:4272
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$TMP~.bat
      Filesize

      945B

      MD5

      fddc7f85246eeca42faad3c971efdc19

      SHA1

      6938ed094e5c2ad5af4646a85234ad2cb1b3d627

      SHA256

      93a7b4910b803a01ecb03614d8ade9cd8e857d6531c5d9d7ebbaccc5ff65aca6

      SHA512

      5f4d54ab5fb2690109750c34f1e55b6856a8adf592c128ed36db396f6063c7cf5a4e49cf32739ec0fe8ee2749755d9454f97c71d58ad353031e2597962bbed52

      Download Submit

    • memory/1144-0-0x00007FF9666D3000-0x00007FF9666D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1144-1-0x00000198EA4E0000-0x00000198EAEB4000-memory.dmp

      Filesize

      9.8MB

      Download

    • memory/1608-20-0x000001C0357F0000-0x000001C0357F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-9-0x000001C0357F0000-0x000001C0357F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-10-0x000001C0357F0000-0x000001C0357F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-8-0x000001C0357F0000-0x000001C0357F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-19-0x000001C0357F0000-0x000001C0357F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-18-0x000001C0357F0000-0x000001C0357F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-17-0x000001C0357F0000-0x000001C0357F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-16-0x000001C0357F0000-0x000001C0357F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-15-0x000001C0357F0000-0x000001C0357F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1608-14-0x000001C0357F0000-0x000001C0357F1000-memory.dmp

      Filesize

      4KB

      Download