Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

856c3df794...eN.exe

windows7-x64

10

856c3df794...eN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30/11/2024, 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    856c3df7946ae567388eb3ed1612e4b2e17003ce6d140515f3f0ae7f554b4c7eN.exe

  • Size

    37KB

  • MD5

    47dcb0f1b08280a3a86de547be9e61a0

  • SHA1

    91fc0d6001de4442200fd844d97ad1742ef8ab5c

  • SHA256

    856c3df7946ae567388eb3ed1612e4b2e17003ce6d140515f3f0ae7f554b4c7e

  • SHA512

    767c1e78d1c2670a35cdd2b0389bd0971af22b62d01b8c29c99114815da5e595f5938ee6333f401bc820bfdbb50907916d37e575baf9a83a14afc9a13cb56e41

  • SSDEEP

    768:sIUomGz54SKEv7DltPkvgpREnOZGwXNiOA9uce7ezbB2ZLo5f1zRHf7CLQw53AIY:saKvEbPkvgAZCNQQceUl

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 17 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:428
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1208
        • C:\Users\Admin\AppData\Local\Temp\856c3df7946ae567388eb3ed1612e4b2e17003ce6d140515f3f0ae7f554b4c7eN.exe
          "C:\Users\Admin\AppData\Local\Temp\856c3df7946ae567388eb3ed1612e4b2e17003ce6d140515f3f0ae7f554b4c7eN.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Windows\SysWOW64\oukgoavax-eanac.exe
            "C:\Windows\SysWOW64\oukgoavax-eanac.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2608
            • C:\Windows\SysWOW64\oukgoavax-eanac.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2004

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\easmeaboah-oxoas.exe
        Filesize

        38KB

        MD5

        0d67c89d81fc385ec6fcadc72c6a9896

        SHA1

        e518825f9bd0c76f8a9f4b7718cf818177c4c511

        SHA256

        9e2bb1d02e2104a0fc33b564f6cd103326806ea08b49d1d431f1103a7afb2696

        SHA512

        95e695ea0dfa441ef80f124e5b2abbe28f6a9470f6fcdf43b5fcf85ee851e1a6839260abfb067b3ca845b63b3c0e228b9ff7da2e792cbc2df4b2d940b5d9e022

        Download Submit

      • C:\Windows\SysWOW64\igsoarir.exe
        Filesize

        37KB

        MD5

        2a548c6d967318880ae061b46a14dff8

        SHA1

        9f6fb81825675fb13bdfbfc1236c4d516f9222c3

        SHA256

        196ca8046bfe869d54d83a7f4c6e4f801738c6450a40db25582c6f9b34987d94

        SHA512

        4f9a57fd0a38e4561147fd034d526fa0c40df07fddd2ef40f9fb414888bbe7c118937279c54e3b4545b91d904a360fa1440e227d23f6688257d00cbf375ff8bb

        Download Submit

      • C:\Windows\SysWOW64\omdoanoom.dll
        Filesize

        5KB

        MD5

        c8521a5fdd1c9387d536f599d850b195

        SHA1

        a543080665107b7e32bcc1ed19dbfbc1d2931356

        SHA256

        fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5

        SHA512

        541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd

        Download Submit

      • C:\Windows\SysWOW64\oukgoavax-eanac.exe
        Filesize

        35KB

        MD5

        6f1dc9dab8d0b1a50722ad2b06e8c709

        SHA1

        3ecf189ba842f00048b25fed9168f2e65b33c15e

        SHA256

        9e91d4c1993fd5f26eefb6cb7420e6cc01b4f4e0427fe560047853e03abf516c

        SHA512

        29bf5ee93add72e69c888d0fac8c500d257f88b6d8b088de539b104251230cbd90bf0582a43d5ac6b4486a958e2bf143040d3abb863e69e3dae1a0f10de4b4c8

        Download Submit

      • memory/2004-23-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2004-53-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2604-8-0x0000000000020000-0x0000000000037000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2604-7-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2608-10-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2608-22-0x0000000000320000-0x0000000000337000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2608-45-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2608-49-0x0000000000320000-0x0000000000337000-memory.dmp

        Filesize

        92KB

        Download