Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

d0f7e1b519...0N.exe

windows7-x64

7

d0f7e1b519...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0f7e1b5196772528ce410b695e2daa0N.exe

  • Size

    133KB

  • MD5

    d0f7e1b5196772528ce410b695e2daa0

  • SHA1

    80380bfc187b7327a99a605a44fc1d4a12984782

  • SHA256

    74be29a741738584dee133775ca5113c9e5a47ae604c1532e27b66890006cd05

  • SHA512

    dcb0687ceaef8d757c3c0217b97337aea9b725b1f1531e3dd216d76e16aabbaaf9bc0f681968645c85cf0ed29fde0a5139f668b82d1fd4139c62f732d2af49f9

  • SSDEEP

    3072:sEboFVlGAvwsgbpvYfMTc72L10fPsout6nnn:rBzsgbpvnTcyOPsoS6nnn

Score
7/10
discoveryupx

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0f7e1b5196772528ce410b695e2daa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0f7e1b5196772528ce410b695e2daa0N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840 0
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
  • C:\Windows\system32\cmd.exe
    cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg
      "C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1232
  • C:\Windows\system32\cmd.exe
    cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg
      "C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\SysWOW64\wininit.exe
        C:\Windows\System32\wininit.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304230395D474A422F565840 0
        3⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\1D11C18123.IMD
    Filesize

    134KB

    MD5

    a41df0edcd98a2a8bf807a95ec3f70ff

    SHA1

    35473d98c969eda4dc147eb117df453974396c69

    SHA256

    b3a3f3c566c58af376bb7243947e82c401a11aed1050963a629bc8d30d5dc45f

    SHA512

    d47a545e39037e33972a50cb2536ca83c09650a0c25e4db195362ffd13ee3ade8188c5f55e4e37eb55d3dfcd238857b2912235488533c9e3229e1c40ce3429af

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\FKC.WYA
    Filesize

    108KB

    MD5

    f697e0c5c1d34f00d1700d6d549d4811

    SHA1

    f50a99377a7419185fc269bb4d12954ca42b8589

    SHA256

    1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16

    SHA512

    d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIF.jpg
    Filesize

    133KB

    MD5

    2a94ff78cf738a946edd32107e1e3b5c

    SHA1

    5503725cc22e8a7ffc0bdbdd14d37aa7a411c604

    SHA256

    05906b897c8a67a5b76dbfe1fc945ecc08fb460155a99af4772afdb5d32cae92

    SHA512

    f243e40a52339934252cc1393780f4c55d388e33838b3ebda05665a5b45c4905a12fb87cc0613bf4513c442997bf1ec4908ec10efbf80e2cafe279cb6c005522

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIFmain.ini
    Filesize

    843B

    MD5

    4152194d045a0f369915857622cf41e2

    SHA1

    3294a331d73022fb1d5c54800d3281892675f5d1

    SHA256

    b4703e24d8540edaf52d981b49c2bb9cb1647f3d0a15c12da62393ea39400f6d

    SHA512

    c375906c4bedb88be0b0e1f09e7e74e613876396ebf76e2941ef0084a254bbb3e82032531539de09e78df0d0bb9f852977c3fc0a3cbc1fd58be96eb819b9ff7e

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\KVEIFss1.ini
    Filesize

    22B

    MD5

    930acf89790980bda3854f8bd8dc44d6

    SHA1

    4033478772bd5b31cdbf85187ad30eb03a560f33

    SHA256

    34158e7ba9674f6eb03866767791fb29663241342a304cbc1286bdaf049269a6

    SHA512

    87752859deee77287cf49d0f54f92dee94f49b2ef3c4fd76ee0b573f1cd73b3b9b472ce4f83e8ae11a8b71aa1c0a802c72b87f7fd940a6b3ddce4d85ab68b7b8

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11C18\ok.txt
    Filesize

    73B

    MD5

    1fa8a1e774fda04c1037b5ff16fbaa72

    SHA1

    2d2e242030aefd54509567f3a6cc97b5a9004312

    SHA256

    43290fb5fbe00e8b82a356482ff5bb775ec82d157892dc8f0d516a7e841d4f7c

    SHA512

    30cff80ce20551180fe29f0b1a3dde623130b07ab8aa10fcd0ee47398b1e5a6b50fd0d2a92b0d933eb75e2c706c54dc570f2e5f1b39c3cae7c93df809a779159

    Download Submit

  • C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg
    Filesize

    133KB

    MD5

    2e3e64061aa669aa59f6e46c142d1222

    SHA1

    292570bd4778423ef326659335191d1bdf6887c2

    SHA256

    55674bdec3c119ed4d5e924ff6509d407acd5b14e2567fa923a7ed28be44460a

    SHA512

    402397ea43f7071c0c3df36eaa2c17abe508ea31cdf69a4378627b7a81c38df99ccc7aee8fafd2c1491f8dd5fcc484f8414e41a8423b4de75f9ced44fc85b4cf

    Download Submit

  • C:\Program Files\Common Files\Microsoft\1D11C18\KVEIF.jpg
    Filesize

    133KB

    MD5

    51fac89d463fff28b28f712b8f481d5a

    SHA1

    6aa96eabf3d311bfcc493fbbc9443add25276a72

    SHA256

    744dea5f07b0f7a37fa423530d29a3669f3597bf473182039de975bb75a04aa9

    SHA512

    6337d867e349c3c0d8b7ef076c9737de7a8bc1008624909dbecc3d369e1d1d4de853e16aae45d67118b2780c055ef092b4235344ac6cd4e9d58953dd0c33afe2

    Download Submit

  • \Windows\SysWOW64\kernel64.dll
    Filesize

    1.1MB

    MD5

    9b98d47916ead4f69ef51b56b0c2323c

    SHA1

    290a80b4ded0efc0fd00816f373fcea81a521330

    SHA256

    96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

    SHA512

    68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

    Download Submit

  • memory/2644-17-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-27-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-19-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-3-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-15-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-33-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-32-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-31-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-21-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-25-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-23-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-2-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-9-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-13-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-11-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-29-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-7-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2644-5-0x0000000000430000-0x0000000000485000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-84-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-80-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-77-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2932-102-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-100-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-98-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-96-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-94-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-88-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-87-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-90-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-82-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-92-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-79-0x0000000000160000-0x00000000001B5000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2932-76-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2932-75-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2932-168-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-72-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2932-70-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2932-250-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download