Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

f7e0658010...0N.exe

windows7-x64

8

f7e0658010...0N.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    93s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/09/2024, 04:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7e0658010d2ff3571e886ef239d74e0N.exe

  • Size

    232KB

  • MD5

    f7e0658010d2ff3571e886ef239d74e0

  • SHA1

    47b2968adf6341194b796f4eae8415253e8ce33a

  • SHA256

    61685319b4db7140248c50361720c29abaffcce9131f035d2ed7f9666aa73aef

  • SHA512

    e7af72f586d44ad8d14414001f6c0c05a4afcd9756e5441780b8653d41bcf8ad4de79e8fdf293c4e8b47b80214dff1b5efa98794bc54525be7183afcacd2eb1f

  • SSDEEP

    3072:d1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1Vne1i/NU82OMYcYU:/i/NjO5xbg/CSUFLTwMjs6wi/N+O7

Score
8/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7e0658010d2ff3571e886ef239d74e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f7e0658010d2ff3571e886ef239d74e0N.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3304
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1044
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4248
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    fd14d8d002bca1b7d44ab64e54c8e517

    SHA1

    6830e9580610bfe26c417e2a472bdc16cae9081a

    SHA256

    c58228df92bbb2e140fe0a35a1e1d640af2f306053a5060858b503d93fc9f4ed

    SHA512

    29c3e2dd39ea5bd6b30972bf4f6231d928c2cae0223cb1b58ad4d73a1d1f7bc743e3370396249aa0f5ded90e36b2877baafc3922a21251308d9a4cfb97d891ae

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    0245bde35831430b2cc14ab60b3356c5

    SHA1

    08031e6bf7a5915fb21b77344fff4be59f74782e

    SHA256

    63f08007e5594f8f33a3b83b184f73fef97e84758937683b60de1cffd0883e9e

    SHA512

    090d073547f81441205f6b64fbd732cdb26d03cc47d2fb4a62ac238093d8457c26d63544af4da37dce82185485d40672c4669dd044a7386dc71b6cd064f54c88

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8M42AOWL\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\WINDOWS\windows.exe
    Filesize

    232KB

    MD5

    531c2315180e1eb575919deebfe00693

    SHA1

    f0067c075acaf3df50a4e42667a5efe998501b85

    SHA256

    6ba9cc18175b4e15bece1fe16d20551642212478e0d1bb765f3452770ba8739c

    SHA512

    34dbd6913e3e6be7ff7de4c9ec7262a2a6c073cdcf04c8a661960e267ae75624ddece0298e1612f598cfb51cef69fcee1ba4a672efe1dea4ae5b4fb977a761d6

    Download Submit

  • C:\system.exe
    Filesize

    232KB

    MD5

    4f709c9dfafeea0c0bc4a04a2b03072a

    SHA1

    8221e366a126af0dc71405bce10391af90ec53d9

    SHA256

    1073e7f79d2f690ccfcfb4f4c0af372ab2fbe6a1364356ec38c710ae95cfc3aa

    SHA512

    00c0f93cbc306471cbb140838847dab8b922e91bba866b1acb52ece843add96cae21e12bbc28718a7ffa537102e1a5b364a2695426fa3fa7160118fa52d53286

    Download Submit

  • memory/1380-0-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1380-17-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download