Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/09/2022, 13:07
Static task
static1
Behavioral task
behavioral1
Sample
wire_deposito# 00711 23-09-2022_IMG.exe
Resource
win7-20220812-en
General
-
Target
wire_deposito# 00711 23-09-2022_IMG.exe
-
Size
294KB
-
MD5
ebf3bd44feb646d0113e34451935faec
-
SHA1
ff2c6c0ceacd9a97c845a1e4056ab7e1c097cf51
-
SHA256
3d4bcb3525d58d2270133e0349f8cc3463a2c5b151e8cc7b1580806c6e86fbf8
-
SHA512
b30b45f6c9b86be224078bd524f45df6db5b4d488ad257743c9ceb869e993e2c1c1296361f29c0279890c32a071950c3678651d5d9a70526cd489f96baaa05e1
-
SSDEEP
6144:UL8i9w0XHrJ7Cj3Z3I5shJd78mf9EFV2PsN2sFzVELTlg:ImqF7Mp3IKhJ58mf9E/QOFz8Tlg
Malware Config
Extracted
formbook
dqrv
gBpw3Y4HTb1jiULo0eCNvVa1AUM=
ZrxXzYYGEr9rmw==
WZd0tp8eMltMtoAQ
sTwbDYOvwP/e+cIy7A==
2x9+6pABEr9rmw==
5APZR17a7SLBJ+uLaEHxQVMMVQ==
To5y5LGTop5N9MKIDJI7Rqg=
HmLC9XPWGo8wbVA1OzzbDM4Dgob+z9M=
qU4wemvm5BXKPhm7k4I6bXMpXw==
1/9k1Q9Dz2scN+VeSlk9UKk=
ocWw8L31/TrpUDjjh8hx2g==
ULSzhA6L41v+PzP1wJ5BbXMpXw==
2WPGn5/sP28R
CjKXeM4dKWwZ
219OmV+FktZrolf1zb1esHSEyvduDQ==
O3zrtJsXCr9ekQ==
QakRaQV0wTrlFwfVh8hx2g==
7kG0LMk1hfuox2rTkaJSbXMpXw==
+UQrlVma3UXyhDAA7g==
A4Hkzb/3ubdkJdfXmOw=
Qsael+UDEr9rmw==
oOxFRjFd8q1kg0PEjIk5bXMpXw==
NFrDspXTxv+qMeGuVPqZ
sMemh+bTU9uD6Fj15A==
kqYN9834v3RlP0A=
njYyeHBEs3RlP0A=
6QhlNxNKE/yrnqI48HEpsqWO10dw
kezeEfdyb5OEx3YJ
bvNNNRpX75RBSUz/v/qn88+3gjAQtsWn7A==
2Q5qNzu7j4Q2+9auVPqZ
KH7kVv9t6qNMUf+JY54/s52O10dw
UNfKLvs1Q2MUu3EN+4QzsaWO10dw
EEW2+Yz/Tb126Fj15A==
MGpEna/sP28R
2r1R7SIRo2k=
o+JNKAxIEfmxnYJXN3pcmICntUs=
2PdJIQMfr2EXV0UBwHpoZCtP
fAFhNzu0d4EgsFkj/Q==
ATKmk322gHsj0IQV/K9BbXMpXw==
Y9e999dp7HRlP0A=
zB571CslHBPFnZu1VrZmO9mUQwJ4
DC6tppDPlqGEx3YJ
pS6f7YTrQL126Fj15A==
7GPeGIwJWp7CsnES
Mo58zqfYayXFdSPSUOeT
Gn4D598ZF1yEZHwe
N0qtkZYF2Nly5uakclYMpIGG+/orwco=
3kad1wktvoInD9fXmOw=
LLGk/LnsADrpfjbd2n5oZCtP
qRB0XUvCnYc0892bF6szzQ==
teTVvSlneKuEZHwe
oxqR9pQLZcly6Fj15A==
9zEmeYsN5umTNuFLHsR81KSO10dw
PHbp08n9mErv/NfXmOw=
txgBX3/nv3RlP0A=
I6EDDd4bEr9rmw==
CpD3+skREr9rmw==
Y8Kl4OFreahAsqZNFhC8B9H8gzAQtsWn7A==
hu/YM0vEzfusNi4H235oZCtP
yF1BQPJ17nRlP0A=
DUpQrWuhtPKxKctRMtBzvxuO10dw
JY7o2etmKyHMdTMCjMNhw6/ZW5NnSAiN
muTLDQp7QEXYJxHZh8hx2g==
fLgqAgVrMiHMgCaMXP2WvgugoxaNcTW07A==
easternsd.com
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 616 chkdsk.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1088 set thread context of 1672 1088 wire_deposito# 00711 23-09-2022_IMG.exe 26 PID 1672 set thread context of 1416 1672 aspnet_compiler.exe 13 PID 616 set thread context of 1416 616 chkdsk.exe 13 -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
description ioc Process Key created \Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1672 aspnet_compiler.exe 1672 aspnet_compiler.exe 1672 aspnet_compiler.exe 1672 aspnet_compiler.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1672 aspnet_compiler.exe 1672 aspnet_compiler.exe 1672 aspnet_compiler.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe 616 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1672 aspnet_compiler.exe Token: SeDebugPrivilege 616 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1416 Explorer.EXE 1416 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1416 Explorer.EXE 1416 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1088 wrote to memory of 1672 1088 wire_deposito# 00711 23-09-2022_IMG.exe 26 PID 1088 wrote to memory of 1672 1088 wire_deposito# 00711 23-09-2022_IMG.exe 26 PID 1088 wrote to memory of 1672 1088 wire_deposito# 00711 23-09-2022_IMG.exe 26 PID 1088 wrote to memory of 1672 1088 wire_deposito# 00711 23-09-2022_IMG.exe 26 PID 1088 wrote to memory of 1672 1088 wire_deposito# 00711 23-09-2022_IMG.exe 26 PID 1088 wrote to memory of 1672 1088 wire_deposito# 00711 23-09-2022_IMG.exe 26 PID 1088 wrote to memory of 1672 1088 wire_deposito# 00711 23-09-2022_IMG.exe 26 PID 1416 wrote to memory of 616 1416 Explorer.EXE 27 PID 1416 wrote to memory of 616 1416 Explorer.EXE 27 PID 1416 wrote to memory of 616 1416 Explorer.EXE 27 PID 1416 wrote to memory of 616 1416 Explorer.EXE 27 PID 616 wrote to memory of 1376 616 chkdsk.exe 30 PID 616 wrote to memory of 1376 616 chkdsk.exe 30 PID 616 wrote to memory of 1376 616 chkdsk.exe 30 PID 616 wrote to memory of 1376 616 chkdsk.exe 30 PID 616 wrote to memory of 1376 616 chkdsk.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\wire_deposito# 00711 23-09-2022_IMG.exe"C:\Users\Admin\AppData\Local\Temp\wire_deposito# 00711 23-09-2022_IMG.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1376
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5f1e5f58f9eb43ecec773acbdb410b888
SHA1f1b8076b0bbde696694bbc0ab259a77893839464
SHA256a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14
SHA5120aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456