Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

CRforVS13S...09.exe

windows7-x64

7

CRforVS13S...09.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    87s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CRforVS13SP29_0-10010309.exe

  • Size

    374.6MB

  • MD5

    cf2c10349b9a91c62a71116babcf9524

  • SHA1

    986ce6a9718e2762f385dcf50f9de34a9bd2e498

  • SHA256

    f444a8d3170710a908aceb7f940170027e901334c7283905a8bd316bc54b8835

  • SHA512

    6c642e6f4a3709a72fb7eabb38d8033a0f8442944c2fbb8c3e8eb620833e6aaf0b0b5448e112c49952ae379373432c5241415faf61e20acf9b2b9b43a9dae630

  • SSDEEP

    6291456:jiWTNdWXEbLnxByxO+aE3F8fZB+3I2TXnu8YyAzrzsnlYAI770omn0FHBxoRA0wM:OWTNdWcxcxh3FQN27nunzsnCXG0FhxoP

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CRforVS13SP29_0-10010309.exe
    "C:\Users\Admin\AppData\Local\Temp\CRforVS13SP29_0-10010309.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3212
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0E0A59FABE0D3C6031395E4E5D240A35 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSIBCA9.tmp
    Filesize

    3.4MB

    MD5

    a5e62eb88f1ff6bfc0649415e203bdb6

    SHA1

    befdd15ed57f19013d355dfa3908981f5062c2ec

    SHA256

    e694fbbd7b691674d25c71da30f36dec52e06d0542baa5bdbc3c5b7b696a7934

    SHA512

    20f4e1177b9a0e2850c8cdb79a4f34f2f89aa507ae59bed651c2a971074e436b6bf4935affae431d4a19c1e4d516cb3d7f6c9a6627695106b5ce567819f749d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\package\1033.mst
    Filesize

    268KB

    MD5

    23cde22035b62b6e9c87fa2bfa1ca7d4

    SHA1

    21eae83940e30b0f4623efc58ac0fa37528f7275

    SHA256

    330d514ca2d6a93a2bf122dc71b47fb2301aa01695441f2a937a8f66fbf84e42

    SHA512

    45de290f746d7a96a701764dc0b2d0fc68cb168246ed87b836f3a80618dd09b9ff8abf56445386d08367cd2e0e53f3a9af381fff1870d859ebca64e4f2f82cb4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\package\1036.mst
    Filesize

    300KB

    MD5

    e7a748b2e9b5e68f457edc2415af944d

    SHA1

    51556df613ad54684e40b8e83d5dbc4e63424cc2

    SHA256

    b0178beeba6020ab0720d2362460afb7680906f5281e53682ec98ad40748ae9e

    SHA512

    e7c6e650274108feda9ee13a50649a91060c4288fb89e64e5d5f51c58506d05125cab97a926b77ccdb762bac4bdff7c88f9a3f86c8cd88b52b6baf3e0c9a3cc1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
    Filesize

    3.4MB

    MD5

    5b45fb825b3ee4370ab066813002e86b

    SHA1

    1ac63aad11dd26db7dcb1524695dd50cf63f0334

    SHA256

    6b7b104341585703ba1a4ac025ea2c7aa591ec79467270b322e5e9d9f0419d99

    SHA512

    0a1a7e12740f5170a1a2ba3eac3e9ab74f0b32761898f15195bd007279fc9da125f80c99284d4f54cf6a1c9b09d27f5ed7fae94b185560633168d9d9204c52e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.ini
    Filesize

    230B

    MD5

    e495d03378fb39b980228abae1c880f5

    SHA1

    50fe165b6fe0cee012bea4fe92120116a8596fc4

    SHA256

    cb9b4b4c065f75ea1c61baaecb14afebd1810b38bf84834980f95ccf71f7c78e

    SHA512

    cce1fd439494de0c1463c31f7fe3a2d60f3f7a5c016fa3af1fbb319cf64b79534c4633fd613572dd0cd91d653073ccefc7b36bb3c5f87a502777245cf910c30e

    Download Submit

  • memory/3636-264-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3636-375-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download