Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

InstalIеr...vg.dll

windows7-x64

1

InstalIеr...vg.dll

windows10-2004-x64

1

InstalIеr...sg.dll

windows7-x64

1

InstalIеr...sg.dll

windows10-2004-x64

1

InstalIеr...kc.dll

windows7-x64

1

InstalIеr...kc.dll

windows10-2004-x64

1

InstalIеr...18.exe

windows7-x64

8

InstalIеr...18.exe

windows10-2004-x64

10

InstalIеr...ws.dll

windows7-x64

1

InstalIеr...ws.dll

windows10-2004-x64

1

InstalIеr...le.dll

windows7-x64

1

InstalIеr...le.dll

windows10-2004-x64

1

TT18.exe

windows7-x64

8

TT18.exe

windows10-2004-x64

10

TTDesktop18.exe

windows7-x64

8

TTDesktop18.exe

windows10-2004-x64

10

TikTokDesktop18.exe

windows7-x64

8

TikTokDesktop18.exe

windows10-2004-x64

10

adjthjawdth.exe

windows7-x64

10

adjthjawdth.exe

windows10-2004-x64

10

bxftjhksaef.exe

windows7-x64

10

bxftjhksaef.exe

windows10-2004-x64

10

cli.exe

windows7-x64

3

cli.exe

windows10-2004-x64

3

dujkgsf.exe

windows7-x64

3

dujkgsf.exe

windows10-2004-x64

5

fdaerghawd.exe

windows7-x64

7

fdaerghawd.exe

windows10-2004-x64

7

fkydjyhjadg.exe

windows7-x64

10

fkydjyhjadg.exe

windows10-2004-x64

10

fsyjawdr.exe

windows7-x64

10

fsyjawdr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/11/2024, 21:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TT18.exe

  • Size

    12KB

  • MD5

    ceb5022b92f0429137dc0fb67371e901

  • SHA1

    999932b537591401dfa1a74df00dae99264bd994

  • SHA256

    8d2f2dce701f8dc555e74b53bfaf7a1337027adc7fadc094b2eba3bb5b688f1b

  • SHA512

    a7acdf417ef81f131c050bc8bd364edddf7a2ebc446c69411d549c14ca8967af7b8c8a2d4556018f148d1b57bc985e10104cdc72e2bed518cfe3280b0254a3d8

  • SSDEEP

    192:knUbCDQoJq4Hb0jPuiJddudb7Z+XX1cNIQKXy+AFtaffEOsSRMWSVP1W58:kg3MGWimFNIQKX4Fgf8OxRBSVU

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TT18.exe
    "C:\Users\Admin\AppData\Local\Temp\TT18.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\GZmTiolcH4'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\GZmTiolcH4
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2440
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Windows
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2620
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3036
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1276
      2⤵
      • Program crash
      PID:1388

Network

  • flag-us
    DNS
    github.com
    TT18.exe
    Remote address:
    8.8.8.8:53
    Request
    github.com
    IN A
    Response
    github.com
    IN A
    20.26.156.215
  • 20.26.156.215:443
    github.com
    tls
    TT18.exe
    344 B
     179 B
     5
    4
  • 8.8.8.8:53
    github.com
    dns
    TT18.exe
    56 B
     72 B
     1
    1

    DNS Request

    github.com

    DNS Response

    20.26.156.215

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    3a57d47985ccb511c32c8d719c8120cb

    SHA1

    e1d10f98552940acb832ca33530f15f7e60f700e

    SHA256

    9270bc285891b797c99b6cf6abc84a3a32419e31c9ebbe7423d5c50f1498284d

    SHA512

    505446a28a937524bfd210c45615a01b8f0aee4cfb8ad908dc274700c2dc57ef5d321dc2a16c31f66ca46664ba10817c7f4123825cbd8817e79cdd2fa5ae85fd

    Download Submit

  • memory/1304-1-0x0000000000380000-0x000000000038A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1304-2-0x0000000074DD0000-0x00000000754BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1304-39-0x0000000074DD0000-0x00000000754BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1304-38-0x0000000074DD0000-0x00000000754BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1304-32-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1304-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-8-0x00000000715B0000-0x0000000071B5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2188-15-0x00000000715B0000-0x0000000071B5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2188-9-0x00000000715B0000-0x0000000071B5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2188-7-0x00000000715B0000-0x0000000071B5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2188-6-0x00000000715B0000-0x0000000071B5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2188-5-0x00000000715B1000-0x00000000715B2000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.