Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d21245ac06...0N.exe

windows7-x64

10

d21245ac06...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d21245ac065eaacb39d32466e6a987e0N.exe

  • Size

    353KB

  • MD5

    d21245ac065eaacb39d32466e6a987e0

  • SHA1

    fcddd5f048cb46ee4a4a5dc2da3e7ba9349f92f3

  • SHA256

    e3b7f72cad8ce1ab44bf2082a3f0b211790f9cc3757e84053fbda09710b7c587

  • SHA512

    454d17a0a6c0b50a89fc354bbea2fc04adf66d35b0057de8ed5869045ae16d11040ea15d513dc1d513d049d138cfea809b54ebc8c6bba442cc896dc6ae7a7269

  • SSDEEP

    3072:KYt8BdoraghZS2/iKM42om06agGR6VYOVjN/xHO07lSaWeyZhc3+:Ktd2nPvq7vfS6VNVjNJHJ7lSaWemc+

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d21245ac065eaacb39d32466e6a987e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d21245ac065eaacb39d32466e6a987e0N.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\SysMax\postgres.exe
      C:\Windows\system32\SysMax\postgres.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\SysWOW64\SysMax\postmaster.exe
        C:\Windows\system32\SysMax\postmaster.exe
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\SysMax\postmaster.exe
    Filesize

    353KB

    MD5

    d21245ac065eaacb39d32466e6a987e0

    SHA1

    fcddd5f048cb46ee4a4a5dc2da3e7ba9349f92f3

    SHA256

    e3b7f72cad8ce1ab44bf2082a3f0b211790f9cc3757e84053fbda09710b7c587

    SHA512

    454d17a0a6c0b50a89fc354bbea2fc04adf66d35b0057de8ed5869045ae16d11040ea15d513dc1d513d049d138cfea809b54ebc8c6bba442cc896dc6ae7a7269

    Download Submit

  • C:\Windows\SysWOW64\maxiapp.log
    Filesize

    12B

    MD5

    1018e086e4c4160e3bb4b056f5074deb

    SHA1

    a0069101835763813a5a02857775022ba7fe4a45

    SHA256

    f94d6d73e2c579e4c007d247731caee8a49e6ac9f19aaf4976263b3c21cf7c25

    SHA512

    210911f8b57d60d9c8d3d2f7c27b59ba4b8cb177887b69a33b5d5aad8207afde164775dac283d2312c32c50850fcf8e0015a45a098d8f1d3fce466969b7e1c20

    Download Submit

  • memory/2248-0-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2248-21-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2308-22-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4504-23-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download