Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

cf30a65b6b...a5.exe

windows7-x64

8

cf30a65b6b...a5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2024, 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf30a65b6be9b46075d3736d9214ffa593aa92ae9fbf9048c57bbc43820abba5.exe

  • Size

    232KB

  • MD5

    166772cdee46493833ac6a6df1bcf7e4

  • SHA1

    edba91c6fc5474a373182c02173c67b0f508b4f6

  • SHA256

    cf30a65b6be9b46075d3736d9214ffa593aa92ae9fbf9048c57bbc43820abba5

  • SHA512

    623911f1b2975b3eaf35493e6ad9f29150e969480bf12878853a2daae2506e19bb536bcbd6e8b299577f0c25ca539cf0f4375e34eea110974b21060fb932022a

  • SSDEEP

    3072:R1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:ji/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score
8/10
defense_evasiondiscoverypersistenceupx

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf30a65b6be9b46075d3736d9214ffa593aa92ae9fbf9048c57bbc43820abba5.exe
    "C:\Users\Admin\AppData\Local\Temp\cf30a65b6be9b46075d3736d9214ffa593aa92ae9fbf9048c57bbc43820abba5.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1464 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1972
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2800
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2592
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2932
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2844
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2760
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\WINDOWS\windows.exe"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2596
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "c:\system.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e912f3b895738b846d53a9b78637829d

    SHA1

    6645f1ee952f0267e726772e880bee5c5cd68d6b

    SHA256

    8a2bdbc85f6ca3219261dc82b9d98749de11433d2c7c3b29790f6b9cb77a2056

    SHA512

    a2106ca2291849951b5410bbd8b014d0337957cb481e05520c7d7f02f3e543a04f8629794e4d4335d8fd6efc826db589d9180c50367382bd6ea668465cfd58dd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f9fed8f07a09680454e5aa9b594a969a

    SHA1

    56047392e2355502911f489c60b0ae4428f2dc60

    SHA256

    7cb0adfefcac782a8e0c3c6f3704a372d1906d2a34d3babdfdd3a38ef5e54b81

    SHA512

    e2428d809a1584079fea16204210debca62bce23ca1846afc71247159bc2c7cf81d704b50fd99b095363eed4e32fc62bb0290ac9a8f6056eb6de156faba0b07a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0d890468f58d94937f778c220caa4610

    SHA1

    e9ffc5fce6e69d4c59f90b1b4efcfb6f97a5144e

    SHA256

    18d98704aed99dfe11d8b995d8affa04f653657019189df306c61d8b904b60fb

    SHA512

    dd0202fc09830c73998cf70e48667f2e9fdfccaa491f778ecf7fc05beeee5aef3bcc02aefd8ac0934f779d026ac8147fadf442f3d2b167c2122efbd85f148b5e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8a5372f0ea8153ce67be6067a0d86224

    SHA1

    01638ad1deca020338cb99cb888ea314fcb573b5

    SHA256

    fdacd8e383d70c544d5b25bcd42b435e6470d8f67d828d54ab4f8d545e514191

    SHA512

    2398fad0ea86a2ccfa53c2f4e392943a46ad6fb6533c848f733ecda8c4707c7b08c66778d6c0bd48eba189542b6cf239b2da19e00395da0b1a5b858b85f64aaf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3831865d52221028266673d11c08a762

    SHA1

    23d65e021ade3ed6b9ccd1a6d5341bff39273a84

    SHA256

    0e927f846b7b03ac2f0d4db539751c88c4a452d4dfa003c04db72e47f296ad57

    SHA512

    c91d7a17e3c7d74c7a0eb3aae2cebea2e1da680f7cc08709887f620039ff4b87c01075666e356329c56f9d1e06fa6bd8fc5705acd426a1df5dd992b6c5a0f288

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e7a3fd07aac317f0ec6a4d86791aa801

    SHA1

    905ff313e89b599712032d978deba00c90d4f383

    SHA256

    3bc4c6b1e235b696f7053b7863944ae633b27e14415d878008b6f1cee47697d3

    SHA512

    2e26cb9010533b144c71ae4163463a29aa3b5b41b0abd628e46a4f0e339f43ae87ed06d13d37d5f491a6c99e8cc7fe97f06116692e0bad7ca833ebd569dc7ba2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    df54c0e8772c6d451244aee34c5703a4

    SHA1

    c93a8f7e454445aa039759baea8b50b2c6542902

    SHA256

    38a32049d18243b80421ac53dae9df6350fb546c4841441acb86402a8e1182c9

    SHA512

    fabcd7a8e96e105680a2de4b982c2d474c4c738bcfa79216a4bf8da7a27d79a882251331c4a2d476315b19704140a5638d4bf83d6a3fd9be4d7da7153c1b97a6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7b57d5f3645963ae9c5004e97b367760

    SHA1

    9b22c65af6a1727219eaed08031436a3ad8e24dd

    SHA256

    f4983f07d6bd2f733dd4df29c562dd4f2a5b19c63eb6a112af35ac01360ccef6

    SHA512

    1c86feaf1f6f448434252561d189b21badb242e5cb700f9856b951a191856e1880e19573ac37a45ce2170ce53ad682e92936df12c1980dfa8fe89cccb6e4d105

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c9e9397956c14a6f61b747e35ed0aae3

    SHA1

    fb518918e9763efe0b96483044639db961ffcd0e

    SHA256

    7cee8c105e7d9757567c46aa45849ac0da6fd2040faf3476e6f21cc8d3b1afed

    SHA512

    d3f0575c0796470fdc8c44df7991b350483e747d6fcf32bf36d170eff78a83d3fb12cacad786a992628c2c0f60fd0b91e4e96defc7e4efb23b043058fabdb64f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ed4651ca1f375c0ea53b0a1cd481d3a9

    SHA1

    0124f7a31b99ddef62aba2d6386eb75f014749f8

    SHA256

    a2f134e8a5a63f2e233fab792e19eb04a599a32a6f3979113600c2dd64ea63b8

    SHA512

    7cc99195288749bae403f6de62affff2aafcbeadf5f193c96899d15648d3d6d3c3dfc215b91101e56622769e3c94a266d7f6899d561e7e86154f144ff6e190b4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5d98c08754b2ed4b4f83b22b9d28bbd8

    SHA1

    a4809f492d346789240deff62d92336e149338b5

    SHA256

    05d4b3d552394c3e736089d237cc2f0b876508861e3bb699fe7a37594ea6c136

    SHA512

    399bf1573a10cb22abe5cfb01a30f56d14ffa5c5b2dcd7fae9fb1b0f17f8228f14c335479df6012ad88aeb4f694ce57fbf913f66809a212d82b0d8d236d5083b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8d72af061d37a5eadc3aa08245c5e526

    SHA1

    0be621a4bec03b8eb9b50c2e21793aa34e4f6bf2

    SHA256

    19aace1695493a19609bb618ea0b987674ccee41d29a38274f84ed82761e80d1

    SHA512

    6d0e813637a9009f0d77c6e7b292c0d7cf2492a6f6a0928920858ffed54399f5c81cef009832338edb77858c0c7b2983e3454b2138640f3bdaa65412c270cb28

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    19ba43d3dbe94a827f1ef98aa7bcbf8e

    SHA1

    5f591ae5b61f3c1c54c618f180646eb54c28e9e6

    SHA256

    2edd5b760353c112d79941071c669b53068491301909d61b9329ad069483f932

    SHA512

    7733185e2b8cfa1d46e6e13ff5e92fe37130509fadd92d21ff361c8fc0402c7040a3c28eaa81475e4f77ec2a3efbccc882a9c807e9a3fe43028b11c3dc0f55dc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    920c6d100415911da8bfed83aa0e38b1

    SHA1

    ea716802c3da8513587aebe15e3c4f1f2225fe31

    SHA256

    5c396eeee82f85910d4e686806a3cdf19bc92f2e5e0ea850ac84c78fc0aeb08c

    SHA512

    8bac041b7338ff949dce3ba0b66d91628309e20b5c0906c6e60f4c6c6b0b11c8b84e28967b34c27ac07fd608516e5c41d02fbdb44f4b1244a4cb0901117b286e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    40c13c74f70384d494ca8c46329ae726

    SHA1

    067ea95b7e523d4a6ffdcca77f4af3de02e4dd33

    SHA256

    ac4cd2f921ff9a2938001a267cec9ccf37cecca7c5077596392c7fe8a64a67ed

    SHA512

    d7febf269a62f5deda3da939e35c611c00c3ea1a70e9e1aa83db5d89ae53934be9bf2b135a14318c94c7ae397379ab0cb3bf5ee1b1f9cddb46698456a87afd2d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7783e494975623e50a3c882361379f6e

    SHA1

    6892a03fcd1f9bbab29fcffc9f998942a8979d14

    SHA256

    ff075d9334a03691d95203bc985fc0a7d14b7324f421eaa0476aa946eaa1a71e

    SHA512

    42c9271a8ce89fdc130fa2d60856d29cbef15300a980c46f91c4e229d26e7765942622eb6358465a45eabf932773652e806d6a6acf67885679a8cdc5b17ea754

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1655f033d25b1030aeb8733cefa512df

    SHA1

    af8f6b1e2d5113756a5c3d59389498bd2379293f

    SHA256

    e98b5d9820c82e561ee4ddfe1ecd00160070b32015ce196bbfbbcc32be826e97

    SHA512

    2a3e9ed37ee2bd0042b40771cae83c7e4d7b1b6b5cc5c00396d68b13bf552aeef5a5a624135b4c42f3fabdc1eea0a756c751074b2af8640bcdefcb8186415095

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1ce305f44c4096cdef3c8c90a41be410

    SHA1

    e88f4b6a49c3e0c804329e1d1a7e7177119d508f

    SHA256

    e652ad5ea0a47dc2b37b77edfe984d97cf683815effdc4509ee9fb456d8fe1f9

    SHA512

    cd5abf8941f9d01984bb0ea516f19d269b6f838b2d95654f49a61743ad8cbb8d6038cb6d77426281c22d4fed04ebfdfe9adeaca8d02cb6831af196a69f77c84f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b327fd36034d1229878bf0781e8b32ff

    SHA1

    ede326097a52a8f50f0dfe4f3ccf49c1f7a58e6d

    SHA256

    906d1e4a5b7c7645119a8a65014ed9fd6accf0ca5e111153414b3d11925db790

    SHA512

    1bb76c6077e9fb03770869ba6c9b06ce96c6df9f909e1ddcdc254e65bd62a1494aaca7f72cfdde114d179616192f160f06a9e46fe73dd2b3442e26a019690209

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabE8AB.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarE94C.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\WINDOWS\windows.exe
    Filesize

    232KB

    MD5

    7dfd691fbca6246510775a7223554df3

    SHA1

    13944bf4061c3fa7aa612afd146cbe2c30369b31

    SHA256

    0d9a28a67106741e0bd40c3959ef493b3c90a79c067a02861f661ee7ab7e44f7

    SHA512

    d80ceac805bd3c6cf8591a9640402aa80dc521e1602a3ed9bb01e6e2d029e4a67699b1df5ad423b86ddec71ed167343c6a7b62afec56cd4c6b918a6d934dcfce

    Download Submit

  • C:\system.exe
    Filesize

    232KB

    MD5

    8f00a473446cfdee2da94f4cd68b8117

    SHA1

    5621c649cea8327e066062379d47eb00e05a68a8

    SHA256

    9950b49dce365c2e80980affdd35f81167c7b104b25664febb07a09a405f2d3f

    SHA512

    27b4685a478296984a0f47bf9077848e53eb17b984213576308e5719cb9257462a8eaba4d17307871b98c5601ac788968c9fab1f6f90f49b5d0059856874f9d5

    Download Submit

  • memory/2484-16-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2484-0-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download