Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d90dac9586...3a.exe

windows7-x64

10

d90dac9586...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06/08/2024, 03:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d90dac9586fe39d9be072d88a48363339beccf10d2ed73581c05da2a9e78363a.exe

  • Size

    384KB

  • MD5

    a8ed87317006fa535844f05b1b2f649f

  • SHA1

    63061c935151b19a5dc308c658ebd47e4641324e

  • SHA256

    d90dac9586fe39d9be072d88a48363339beccf10d2ed73581c05da2a9e78363a

  • SHA512

    87dbb362549b317ace0585626b88b161ec37ca65f8d0df17edf9bef8efd0e331fafcb03292bf9db9ea2ce8d9c7b7e6f25d7a9f7ffe9eda9e7ab25ddfe0d19142

  • SSDEEP

    6144:d0E523Mak8/k/j+zHmlGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEAz/6DG1ETdqvZNS:d0E03Mak8u8KGyXu1jGG1wsGeBgRTGAC

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 5 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d90dac9586fe39d9be072d88a48363339beccf10d2ed73581c05da2a9e78363a.exe
    "C:\Users\Admin\AppData\Local\Temp\d90dac9586fe39d9be072d88a48363339beccf10d2ed73581c05da2a9e78363a.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\Dpapaj32.exe
      C:\Windows\system32\Dpapaj32.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 144
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Dpapaj32.exe
    Filesize

    384KB

    MD5

    48eca9c797cdd12b9ca47e9deb3787bf

    SHA1

    926c1a3392ca775f66962e830801ebc047b69867

    SHA256

    ba0840585357b9d28d8f403b7ca924958b9c7c9526cbebc80b2ed53cc66c4d7d

    SHA512

    5863f65c555fb078aa3738bcf863335e9df863f1922581205c61cd2cf765f0277677784416123ce165a4fc1d5b016b29876696f2297670d00c2dc7b72b26172a

    Download Submit

  • memory/2168-0-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2168-16-0x0000000000270000-0x00000000002A4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2168-15-0x0000000000270000-0x00000000002A4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2168-21-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

    Download

  • memory/3044-17-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

    Download