Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3ddf598354...be.exe

windows7-x64

7

3ddf598354...be.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    05/07/2024, 20:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe

  • Size

    233KB

  • MD5

    e29719d3adf28eed2d8ba410872ac962

  • SHA1

    ed6247a21e2e00557e133c1289aca24df2b881d8

  • SHA256

    3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be

  • SHA512

    f419a104c3b010c6691a528d140b690d4d727de7d68dc9823e651a9028c8cee9c4894b91eaf61f9a34ab1e7957a6eb556f91719143b25412fd7f3aa6441b2d95

  • SSDEEP

    6144:xD2JWK2zuqUzN15TMdN/5djkxUEKm/tJajKw:xD2JFYoZmF7kUm/Cj

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1360
    • C:\Users\Admin\AppData\Local\Temp\3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe
      "C:\Users\Admin\AppData\Local\Temp\3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Users\Admin\AppData\Roaming\Netppubw\PkgMcont.exe
        "C:\Users\Admin\AppData\Roaming\Netppubw"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:236
        • C:\Users\Admin\AppData\Local\Temp\~FAD3.tmp
          1360 239112 236 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2304
      • C:\Windows\SysWOW64\cmd.exe
        /C 259456073.cmd
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe"
          4⤵
          • Views/modifies file attributes
          PID:2644
  • C:\Windows\SysWOW64\Disputou.exe
    C:\Windows\SysWOW64\Disputou.exe -s
    1⤵
    • Executes dropped EXE
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259456073.cmd
    Filesize

    291B

    MD5

    6b620a106e65ad01793b41c094db3f7a

    SHA1

    d8338fed27f9a1367fd2952db385a319c2c72c09

    SHA256

    b17777b942fd9a860d7c2bb774369390cf39ecc8841b5642d307bdaf151c23d1

    SHA512

    ac84b9b550e58380d9041b6d860d9628a5da43ce71a37f04b988aee63df9fdf36d6d824685b5b862541f2b34efcc5720392da2e49a7f846b84d2e8afced4da73

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~FAD3.tmp
    Filesize

    8KB

    MD5

    86dc243576cf5c7445451af37631eea9

    SHA1

    99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

    SHA256

    25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

    SHA512

    c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

    Download Submit

  • \Users\Admin\AppData\Roaming\Netppubw\PkgMcont.exe
    Filesize

    233KB

    MD5

    7625144b71d411fcab7213f6ba33050d

    SHA1

    5755665f69d7e7ffa366cd525e092230c751df1d

    SHA256

    db4b22345f935119493237fb2f9df9d7c2f7176fa60584b957a3d01e82014e36

    SHA512

    e0f102a4658052a76de82396588c86f8baf995d3f4e9c53bcba3a840dea2d11efa21a837f795c603fd921c74416e5606c839e8614ced975cd98ad590b80fc5ab

    Download Submit

  • memory/236-16-0x0000000000290000-0x0000000000295000-memory.dmp

    Filesize

    20KB

    Download

  • memory/236-14-0x0000000000240000-0x0000000000283000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1360-17-0x00000000025A0000-0x00000000025EA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1360-18-0x00000000025A0000-0x00000000025EA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1360-27-0x0000000002760000-0x000000000276D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1360-26-0x0000000002600000-0x0000000002606000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1360-25-0x00000000025A0000-0x00000000025EA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1908-0-0x0000000000120000-0x0000000000163000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2732-31-0x0000000000210000-0x0000000000253000-memory.dmp

    Filesize

    268KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.