Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

563a35fcff...0N.exe

windows7-x64

6

563a35fcff...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/09/2024, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    563a35fcff50eeafb0754eca254a9050N.exe

  • Size

    348KB

  • MD5

    563a35fcff50eeafb0754eca254a9050

  • SHA1

    5f08aa965edce4215884cca8f9ae1a95dbcddd0b

  • SHA256

    e0b0b1e77150b120f147fe696162507cfe4fb9f4e13734d66cef457a1a2724bd

  • SHA512

    49b240b7de9936f0eae3e9250fc06609969039ad7e736b6a78f3f3ab55b65f78b1b2117f39c3b3cd99c46b5a67c572a5fd8ac4aa7a1d4c13d2406034acfebb78

  • SSDEEP

    6144:EbpFMByWEhy9vBpHLnU+r/f79MzNtukvSodidiHlFE:E9y2hqbLnZr/5MJt5qZi/E

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe
    "C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\syswow64\icardagt.exe
      "icardagt.exe"
      2⤵
      • Adds Run key to start application
      • Checks for any installed AV software in registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2428
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\txlC104.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\563a35fcff50eeafb0754eca254a9050N.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2904
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\dbbbb8264j.exe
    Filesize

    348KB

    MD5

    7042fa285367255284d6c9c87815de8e

    SHA1

    bbd6847268a48252cb8ebdafb0edfb13ce56afb3

    SHA256

    aed1b5fba3421280a26e522c30f04e572cd861351839087154f19946a62affd8

    SHA512

    327908da286723ea4b89c918ee8465d40cc305d76d7aa8c80fa61c6b62f186633bcfaf79ac9500cced07e0afef225aa4846aa7f82663f101ad345c74a06b19a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\d43514e66e9c0a80acb4
    Filesize

    29B

    MD5

    d85ffb84ea73a585a289dd97216fadb8

    SHA1

    96b6335ab32e91598ec19a5d4b52f59c07d557fe

    SHA256

    3fa356e5f6e8b2c402592cb8f292748ee743c4ac6c32552785ef1a9e4ddf8850

    SHA512

    d5502794ca2385e23d7837fbe7d1dd6efaccfced36f32aaf75e653be36e9d695fc39b85929ebababc6161b39a184f45e3784c9f3841bced68ebf16b8b38c6aa9

    Download Submit

  • C:\Users\Admin\txlC104.tmp.bat
    Filesize

    55B

    MD5

    bba5d9b808c350f7a54b29217c9eaad7

    SHA1

    5ff47a407aa7281685752a03b60ca5b6339292a9

    SHA256

    51d242309c37c29238be1e3a9c7cd28ef9c6def0a75355a42b5202a5c71a46ed

    SHA512

    c0d16141481c409070129a2c97cd79574d8dae9da4de0989e76040150d127b3123612649c6fb5d38603fb450094d9c59df3bd2410075c4e15c3fbf7fe60b00c2

    Download Submit

  • memory/1960-1-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1960-2-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1960-4-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1960-331-0x0000000000457000-0x000000000045B000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1960-17-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1960-330-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1960-0-0x0000000000457000-0x000000000045B000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2428-22-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-14-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2428-322-0x0000000000490000-0x0000000000590000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2428-321-0x0000000000490000-0x0000000000590000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2428-18-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-25-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-325-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-328-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-21-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-24-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-23-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-20-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-19-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-307-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-15-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2428-333-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-337-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-338-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2428-355-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-363-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2428-361-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2428-376-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-379-0x0000000000470000-0x0000000000471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2428-382-0x0000000000760000-0x00000000007CA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2428-383-0x0000000000490000-0x0000000000590000-memory.dmp

    Filesize

    1024KB

    Download