Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0b84008fd4...bN.exe

windows7-x64

10

0b84008fd4...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2024, 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b84008fd4237fdd2a952ba968aec2b0e429801cbab4a016ee32db6e4eeb283bN.exe

  • Size

    1.8MB

  • MD5

    8ae84d125b4d3cca4b310a9f519747a0

  • SHA1

    9f28f6eecb9ce84bd918f22c9af5f6e102ef6e57

  • SHA256

    0b84008fd4237fdd2a952ba968aec2b0e429801cbab4a016ee32db6e4eeb283b

  • SHA512

    15268db416f0bcc2512f7f62d95903ea559f8e2fe697adcfc05067a03453d1b3c748040882010ed565bda1ee6f2fad92c1c24a88c369ed81ccfc776236f40d49

  • SSDEEP

    24576:bMbXdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4oMaop0P:bMhbTChxKCnFnQXBbrtgb/iQvu0UHOaE

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 27 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b84008fd4237fdd2a952ba968aec2b0e429801cbab4a016ee32db6e4eeb283bN.exe
    "C:\Users\Admin\AppData\Local\Temp\0b84008fd4237fdd2a952ba968aec2b0e429801cbab4a016ee32db6e4eeb283bN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Users\Admin\AppData\Local\Temp\@AE784B.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\@AE784B.tmp.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2224
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2220
          • C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2232
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2580
      • C:\Users\Admin\AppData\Local\Temp\0b84008fd4237fdd2a952ba968aec2b0e429801cbab4a016ee32db6e4eeb283bN.exe
        "C:\Users\Admin\AppData\Local\Temp\0b84008fd4237fdd2a952ba968aec2b0e429801cbab4a016ee32db6e4eeb283bN.exe"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0b84008fd4237fdd2a952ba968aec2b0e429801cbab4a016ee32db6e4eeb283bN.exe
    Filesize

    98KB

    MD5

    bc1632e3622b50f0c3229eab9f9887d9

    SHA1

    bad1291ae3c33bfed2288b3ea4a30d6c52dc7d02

    SHA256

    4be220fe98d5e6743e8031292df3bfddd9d32f1600ef5c8854b4f90bdb19ef05

    SHA512

    3df7c3cef642fddad2a7e2be2a7fb8ee7690493ae299f7222aa5375fbcbe7289a20dab645d498a06024f86bfa8a98b99fb122bdaddfe7cd080b717496b0e6d9e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7B96.tmp
    Filesize

    1.0MB

    MD5

    df2c63605573c2398d796370c11cb26c

    SHA1

    efba97e2184ba3941edb008fcc61d8873b2b1653

    SHA256

    07ffcde2097d0af67464907fec6a4079b92da11583013bae7d3313fa32312fe8

    SHA512

    d9726e33fcfa96415cc906bdb1b0e53eba674eaf30ed77d41d245c1c59aa53e222246f691d82fa3a45f049fbf23d441768f9da21370e489232770ad5ae91d32f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat
    Filesize

    129B

    MD5

    d1073c9b34d1bbd570928734aacff6a5

    SHA1

    78714e24e88d50e0da8da9d303bec65b2ee6d903

    SHA256

    b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

    SHA512

    4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat
    Filesize

    196B

    MD5

    237abb5bd9d8cdb8a7bc3749181f4aaa

    SHA1

    2d5cc9ac022c7bda30235f240847896cee9266a9

    SHA256

    d82acb8439ce0ab114700c7647ea4f5ed816d1dbad6308d023ed050ffbaef061

    SHA512

    50c00c6f4c6b763aa0deefa18e46ccbd714735043a9f2f7ab16e12419ffd703427781909a37a8290f029aee452dd7b167b0efdd75d51d27530f9f5fac0563944

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@AE784B.tmp.exe
    Filesize

    1.7MB

    MD5

    1ff1843e6a7eead8d84d5782d8be0a8c

    SHA1

    49056c9a4c7deac17948549a76456011efc5447b

    SHA256

    3629d15c90e8c7b0b2b127b1dcc5da9ae5e0458804468406e5816db165d745cc

    SHA512

    a0c21b5f288a4ca935960260217890491bae9625e0fabc1040cf4aa5d53971bd0d87f171df0866b28db4e478ca37b322c034fbc36501452c94f3a4a4be57079b

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
    Filesize

    1.7MB

    MD5

    c4cd9abdd1829b9e54886aa1bec9fc8b

    SHA1

    6d3c2a02924d31126a5189a2957edf238111c624

    SHA256

    84d298402b5591f447ffd64c8ae8ec4e50306ae816f7ab869b1b9a6c4989950d

    SHA512

    134fb86aa6ddb5f1ed103e4f916049ef1787c9a9d4bdfd1d0b3db0ebe7be929b817013bf5d72918983b6b30f41406568dddbe16e5a78755730a02ac6001f90b4

    Download Submit

  • \Users\Admin\AppData\Roaming\Temp\mydll.dll
    Filesize

    202KB

    MD5

    7ff15a4f092cd4a96055ba69f903e3e9

    SHA1

    a3d338a38c2b92f95129814973f59446668402a8

    SHA256

    1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

    SHA512

    4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

    Download Submit

  • memory/2224-11-0x0000000010000000-0x0000000010015000-memory.dmp

    Filesize

    84KB

    Download