Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

fd85a77b13...0N.exe

windows7-x64

8

fd85a77b13...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd85a77b1322ab368cd2e8702cdbecb0N.exe

  • Size

    400KB

  • MD5

    fd85a77b1322ab368cd2e8702cdbecb0

  • SHA1

    392848b6b67a19e2aed417b2c472cbe1ab5e3d8e

  • SHA256

    da359c2f4625fcff92e0e8eca9517110b0279957aa0bf9198c9cc34053cebac5

  • SHA512

    10e55b4069818cc1c45edbd14460d8b14aed4b558e431d107c708f7fdfe3daa30b9d843b981de5306aae216f78f70a616f2396e8dc349dd4ca8f5736e7071672

  • SSDEEP

    3072:fDNcIFN3tw4QfwmAOMe6UJbVM/vkA9OQzY6eCFs5Juh2v19hlDcfbEdp7uxEo+9l:LJigOTJXYOaFs5Juh819hqkuGh2LeyI

Score
8/10
discoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd85a77b1322ab368cd2e8702cdbecb0N.exe
    "C:\Users\Admin\AppData\Local\Temp\fd85a77b1322ab368cd2e8702cdbecb0N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\fd85a77b1322ab368cd2e8702cdbecb0N.exe
      "C:\Users\Admin\AppData\Local\Temp\fd85a77b1322ab368cd2e8702cdbecb0N.exe"
      2⤵
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GCYXB.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:448
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "skypee" /t REG_SZ /d "C:\Windows\Skypee\skypee.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2004
      • C:\Windows\Skypee\skypee.exe
        "C:\Windows\Skypee\skypee.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:964
        • C:\Windows\Skypee\skypee.exe
          "C:\Windows\Skypee\skypee.exe"
          4⤵
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2892
        • C:\Windows\Skypee\skypee.exe
          "C:\Windows\Skypee\skypee.exe"
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Windows\syswow64\svchost.exe
            C:\Windows\syswow64\svchost.exe
            5⤵
            • Adds policy Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            PID:1612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GCYXB.bat
    Filesize

    121B

    MD5

    6f03830aff31995957052b694b2211a0

    SHA1

    bc98df25a4accd29643b311c106e1cdcecdec93c

    SHA256

    7ddb76d54b187f9e03639ee200536062c36abea7f2fb073ca9bccfb5acc55934

    SHA512

    f02357a8148e3f0c2e3f8f44c317c94450cbda8acd1890369ad91cd1c140089bfbfd6659702f79761e49b8b665f37667d806ccaed416c6de43e1a99d07a69175

    Download Submit

  • \Windows\Skypee\skypee.exe
    Filesize

    400KB

    MD5

    73ba3f9d006427154dcfcc66c6545bfd

    SHA1

    0513a3babe49795c1f5ed584b2115f554fb71fc4

    SHA256

    56132847565fe784bbb4013a643d5682d3fbace75d455af1ac1055f6e4d4249d

    SHA512

    82ccac60c558e8a6e8222685fba4b7ea25abca535f94db93bf03ac193e64e3010c837911b54b69860a413da86d0bd03b0fa062f3e1e5acd52b046581a429e6bb

    Download Submit

  • memory/964-447-0x0000000002820000-0x0000000002884000-memory.dmp

    Filesize

    400KB

    Download

  • memory/964-449-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download

  • memory/964-249-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download

  • memory/1488-13-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-19-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-107-0x0000000002B40000-0x0000000002B41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-211-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download

  • memory/1488-99-0x0000000003140000-0x0000000003141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-91-0x0000000001E00000-0x0000000001E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-81-0x0000000002F60000-0x0000000002F61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-205-0x0000000003520000-0x0000000003521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-61-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-199-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download

  • memory/1488-198-0x0000000000402000-0x0000000000403000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-9-0x0000000002940000-0x0000000002941000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-29-0x0000000002B60000-0x0000000002B61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-27-0x0000000002B60000-0x0000000002B61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-25-0x0000000002B90000-0x0000000002B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-23-0x0000000002B90000-0x0000000002B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-21-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-200-0x0000000002730000-0x0000000002794000-memory.dmp

    Filesize

    400KB

    Download

  • memory/1488-15-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-0-0x0000000000400000-0x0000000000464000-memory.dmp

    Filesize

    400KB

    Download

  • memory/1488-5-0x0000000002990000-0x0000000002991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-63-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-7-0x0000000002940000-0x0000000002941000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-3-0x0000000002990000-0x0000000002991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-33-0x0000000001E60000-0x0000000001E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-37-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-35-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-31-0x0000000001E60000-0x0000000001E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-45-0x0000000002D90000-0x0000000002D91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-53-0x0000000002D40000-0x0000000002D41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1488-73-0x0000000002B50000-0x0000000002B51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2872-448-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2892-465-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2908-194-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2908-201-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2908-245-0x0000000002710000-0x0000000002774000-memory.dmp

    Filesize

    400KB

    Download

  • memory/2908-202-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2908-247-0x0000000002710000-0x0000000002774000-memory.dmp

    Filesize

    400KB

    Download

  • memory/2908-246-0x0000000002710000-0x0000000002774000-memory.dmp

    Filesize

    400KB

    Download

  • memory/2908-210-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2908-452-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2908-196-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2908-192-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2908-203-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download