Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

08751be484...2d.dll

windows7-x64

10

08751be484...2d.dll

windows10-2004-x64

10

0a9f79abd4...51.exe

windows7-x64

3

0a9f79abd4...51.exe

windows10-2004-x64

3

0di3x.exe

windows7-x64

10

0di3x.exe

windows10-2004-x64

10

2019-09-02...10.exe

windows7-x64

10

2019-09-02...10.exe

windows10-2004-x64

10

2c01b00772...eb.exe

windows7-x64

7

2c01b00772...eb.exe

windows10-2004-x64

10

31.exe

windows7-x64

10

31.exe

windows10-2004-x64

10

3DMark 11 ...on.exe

windows7-x64

1

3DMark 11 ...on.exe

windows10-2004-x64

1

42f9729255...61.exe

windows7-x64

10

42f9729255...61.exe

windows10-2004-x64

10

5da0116af4...18.exe

windows7-x64

7

5da0116af4...18.exe

windows10-2004-x64

10

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

905d572f23...50.exe

windows7-x64

10

905d572f23...50.exe

windows10-2004-x64

10

948340be97...54.exe

windows7-x64

10

948340be97...54.exe

windows10-2004-x64

10

95560f1a46...f9.dll

windows7-x64

1

95560f1a46...f9.dll

windows10-2004-x64

5

Archive.zi...3e.exe

windows7-x64

8

Archive.zi...3e.exe

windows10-2004-x64

8

Chris@Spark.exe

windows7-x64

4

Chris@Spark.exe

windows10-2004-x64

4

Cuberates@TaskILL.exe

windows7-x64

1

Cuberates@TaskILL.exe

windows10-2004-x64

1

Resubmissions

03/07/2024, 22:59 UTC

240703-2yn7wszhlp 10

03/07/2024, 16:13 UTC

240703-tn93lsyglf 10

03/07/2024, 16:11 UTC

240703-tm84xsyfma 10

10/05/2024, 16:25 UTC

240510-tw1h5shh47 10

24/08/2023, 11:16 UTC

230824-nda8msdf8z 10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 22:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c01b007729230c415420ad641ad92eb.exe

  • Size

    1.3MB

  • MD5

    daef338f9c47d5394b7e1e60ce38d02d

  • SHA1

    c0a07e8c32528d29aae26aaecbf6a67ed95b8c8e

  • SHA256

    5d03fd083b626a5516194d5e94576349100c9c98ca7d6845642ed9579980ca58

  • SHA512

    d0f4050fc2c5f38ab598729fb6930c84bf779d47b5a8b4e860bc0e9ca8be454ad5dce001d8f88299d8a079eafd4c26efcdd2d196352acfe45e940cc107fcebf4

  • SSDEEP

    24576:W85y6Jwdt8jtWoJpXWHALGX+C1Co3aP8jvuC7g6zwm4m53Sb21SR:HXsSGuC/MIvuC5kFm53Sy1SR

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe
    "C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Roaming\wou\odm.exe
      "C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Roaming\wou\odm.exe
        C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\FCBRN
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          4⤵
            PID:1720
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            C:\Users\Admin\AppData\Roaming\wou\FCBRN
            4⤵
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            PID:2024
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2788

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\wou\FCBRN
      Filesize

      91KB

      MD5

      9375872d82fbfe00eb4f6e608aa170d8

      SHA1

      b6d6f7059c025075141293cc0c1f80c1063ef75b

      SHA256

      a1b44347af8b2b2bf0409bb96e99f012035dc494ef44db409dbcd2bb726ff2e9

      SHA512

      f05e7f8c5d4edc6c41c0a2e4c63492a8578a4ae44e093396214fe422b90bd6e6d5fc98e1d8c4ee2253845a8b1a0bf202cd27450f641a8261d7f660b26162b863

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wou\ait.ico
      Filesize

      1KB

      MD5

      f6efac00916f3425d6079ae5a956df11

      SHA1

      3153abfe46186c1186882f67444c82c544615fb7

      SHA256

      1e866a8f06f125fa1c439f9cb00199be827e74b87eae12368bd1e2cf7ab28728

      SHA512

      0ba766d5816057941ad9afc80f7b20620b0120411357fe2b97ab0a425b32d4309396ed4866c8b23c92893ed68971c4a8a8c6f25ffa411ba0c70b602a63bd4743

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wou\odm.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wou\rid.ico
      Filesize

      1.2MB

      MD5

      a5f2dcee6a2a6047aa8fdde1ae2ce290

      SHA1

      7a082661c9a3431cd89ed4d9959178d60b9570f7

      SHA256

      7da78e767ff859970c8dae593b62f1366c2c651500eb280f0077a2245a9a8625

      SHA512

      e001300fc56f9bc8e9d61cb904ea6dec5ca447729015c9ff3dccc021f319fcce57ebaabb196a56f80d249dfbb88b4a0a273858cf14c7b9a93c10c9c8bc243d0a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wou\spd
      Filesize

      4B

      MD5

      098f6bcd4621d373cade4e832627b4f6

      SHA1

      a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

      SHA256

      9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

      SHA512

      ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wou\zbackup- Copy.png
      Filesize

      16KB

      MD5

      6285049d1e4f854943856164652da8d8

      SHA1

      f29c791ddb940be594bfb431eca7d4cb6d9e2688

      SHA256

      0aeb7e8a131b53991567db463519ea005d41ddd1f227a744d4f7066805ce684f

      SHA512

      2bb954a07f82c19b26d745ac19cd66e6eb82c525db0bd6e9e6880b0077465897d7fc49521d40361262c9dccdba4de6cead5b7d8dc09a9beaae2d668537097291

      Download Submit

    • memory/1720-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2024-101-0x0000000000150000-0x000000000021C000-memory.dmp

      Filesize

      816KB

      Download

    • memory/2024-104-0x0000000000150000-0x000000000021C000-memory.dmp

      Filesize

      816KB

      Download

    • memory/2024-107-0x0000000000150000-0x000000000021C000-memory.dmp

      Filesize

      816KB

      Download

    • memory/2024-105-0x0000000000150000-0x000000000021C000-memory.dmp

      Filesize

      816KB

      Download

    • memory/2428-74-0x0000000003510000-0x0000000003512000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2788-75-0x00000000001F0000-0x00000000001F2000-memory.dmp

      Filesize

      8KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.