Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2706e6516e...75.exe

windows7-x64

7

2706e6516e...75.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2025, 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe

  • Size

    772KB

  • MD5

    11efce84e0a22a7cf2cc37e4d70b9d12

  • SHA1

    fdf14b95fe44f020456008604cd31536e423b72b

  • SHA256

    2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475

  • SHA512

    a3ff129fc550c5bc126984d14f0c7cbea78b466636be8608004a30a22d5d179d2e52301015b3e7d9df6fe3455fa7c27fc863e927f1fda4e00b90bee7482c8c15

  • SSDEEP

    12288:gmhjJdUlzn3DSudvsh8Awf3XFaZmBITVJPtSrE37yG2LmxCiZ:Xh1alj3DSudvGM3MXTVhtSQWGtx3Z

Score
7/10
discoveryupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 8 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
    "C:\Users\Admin\AppData\Local\Temp\2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Local\Temp\quymtwmnbe.exe
      "C:\Users\Admin\AppData\Local\Temp\quymtwmnbe.exe" "C:\Users\Admin\AppData\Local\Temp\wondswvbja.exe" "C:\Users\Admin\AppData\Local\Temp\2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4452
      • C:\Users\Admin\AppData\Local\Temp\2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe
        "C:\Users\Admin\AppData\Local\Temp\2706e6516e6f2096e97947c061554a30c15df25b323f8d8ef26a83498d16d475.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2392
    • C:\Users\Admin\AppData\Local\Temp\dddnutzwcp.exe
      C:\Users\Admin\AppData\Local\Temp\dddnutzwcp.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\System32\cmd.exe
        /c sc config msdtc obj= LocalSystem
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\system32\sc.exe
          sc config msdtc obj= LocalSystem
          4⤵
          • Launches sc.exe
          PID:1808
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TXBOlLz7.bat"
        3⤵
          PID:4816
        • C:\Windows\System32\bindsvc.exe
          "C:\Windows\System32\bindsvc.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3852
    • C:\Windows\system32\SearchIndexer.exe
      C:\Windows\system32\SearchIndexer.exe /Embedding
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\system32\SearchProtocolHost.exe
        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
        2⤵
        • Modifies data under HKEY_USERS
        PID:5068
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
        2⤵
        • Modifies data under HKEY_USERS
        PID:3960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TXBOlLz7.bat
      Filesize

      196B

      MD5

      4298493ebabee3c8a66b36b7a2902504

      SHA1

      cf3672d95aa1557e9a2ac608b5bb5ec1c79d8661

      SHA256

      198ff0deb0fefdd627e1e0bb0691a2aa216f7f7b46a52fdd8939efdc34860ad9

      SHA512

      998d87f7e24967bbbc49f66e23e98d8956fa229bea74bcfc11c9022cf929e92eb988abfe410cc1b514f0ae716fa134aada4c9501b9eaa58fe3a51c7a16b2c7f6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dddnutzwcp.exe
      Filesize

      580KB

      MD5

      2c2029588ad8b86759c17b7ae885ee03

      SHA1

      91653b5344d4c210201218e2f215dd5228d76799

      SHA256

      3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

      SHA512

      88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\quymtwmnbe.exe
      Filesize

      51KB

      MD5

      e48b89715bf5e4c55eb5a1fed67865d9

      SHA1

      89a287da39e14b02cdc284eb287549462346d724

      SHA256

      c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

      SHA512

      4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wondswvbja.exe
      Filesize

      65KB

      MD5

      f13ec8a783e0cb0d6dc26a3ca848b7b8

      SHA1

      6107fb5303a7a886f6f2674fb73c543696779dac

      SHA256

      0809e3b71709f1343086eeb6c820543c1a7119e74eef8ac1aee1f81093abec66

      SHA512

      d6d060ff085e3d51b90c913a016ffee9c0266ab2a3a8113abd30d1d9e876652078d9980b1d3a37d8f70c2407c4434df4f64b5c6a6f111b910bb7bf7a4e36f579

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\trnmg.sdb
      Filesize

      1KB

      MD5

      a089fecc62ba2a0f061b36018aa866b8

      SHA1

      30a0298b0729f4cd475eb33b4c4dad228ed34a0e

      SHA256

      9830a0d1d8598abd80e58d60402e883e34f28f8b5c9355c22d4739195fecd9f3

      SHA512

      4ce2a9aad660c6a120e5a11eff97ce80f702b0447c391f039d4c4338fabcfc928c89f271a00daa941c6036a9ffe7f41180bb714b48cf79a19c26bf9f436c4ebf

      Download Submit

    • C:\Windows\System32\bindsvc.exe
      Filesize

      291KB

      MD5

      7c5b397fb54d5aa06bd2a6fb99c62fee

      SHA1

      a9e0bf7bbabf6ab9e294156985537ae972ebd743

      SHA256

      d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

      SHA512

      daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

      Download Submit

    • memory/2884-14-0x0000000000690000-0x000000000080A000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2884-177-0x0000000000690000-0x000000000080A000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2884-168-0x0000000000690000-0x000000000080A000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3960-82-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-90-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-74-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-73-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-72-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-75-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-77-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-79-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-80-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-83-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-84-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-70-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-81-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-78-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-76-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-85-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-86-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-71-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-89-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-88-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-87-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-98-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-97-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-96-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-95-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-94-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-93-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-92-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-91-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3960-69-0x0000022A83D40000-0x0000022A83D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4332-55-0x0000028590A90000-0x0000028590A98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4332-53-0x00000285908A0000-0x00000285908A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4332-21-0x000002858C2D0000-0x000002858C2E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4332-37-0x000002858C4F0000-0x000002858C500000-memory.dmp

      Filesize

      64KB

      Download