Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2023, 21:11
Static task
static1
Behavioral task
behavioral1
Sample
295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe
Resource
win10v2004-20221111-en
General
-
Target
295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe
-
Size
726KB
-
MD5
d0e77b07603d7c8c6f3a3a762836f138
-
SHA1
a2f1f9a447e406b489b984fa5403a36e79d28911
-
SHA256
295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6
-
SHA512
f98b81f9b7cda9bce17a995560b6fa9b21fc1765fd48fd6d468444c4236b4c3bfdf925e14956406d34dd268ced6cd083900f3307601e8404ac1c6c5a53f8e348
-
SSDEEP
12288:vCatIwPtT2lwPtT2VpmxqDbHks2XnFxXKdOUzD1Duc:vzVPtT2OPtT2VpmUHU3F4Tzlu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4132 bootinst.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4892 attrib.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe File opened (read-only) \??\E: cmd.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4652 wrote to memory of 2740 4652 295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe 81 PID 4652 wrote to memory of 2740 4652 295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe 81 PID 4652 wrote to memory of 2740 4652 295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe 81 PID 2740 wrote to memory of 4892 2740 cmd.exe 83 PID 2740 wrote to memory of 4892 2740 cmd.exe 83 PID 2740 wrote to memory of 4892 2740 cmd.exe 83 PID 2740 wrote to memory of 4132 2740 cmd.exe 84 PID 2740 wrote to memory of 4132 2740 cmd.exe 84 PID 2740 wrote to memory of 4132 2740 cmd.exe 84 PID 2740 wrote to memory of 4440 2740 cmd.exe 85 PID 2740 wrote to memory of 4440 2740 cmd.exe 85 PID 2740 wrote to memory of 4440 2740 cmd.exe 85 PID 2740 wrote to memory of 1340 2740 cmd.exe 87 PID 2740 wrote to memory of 1340 2740 cmd.exe 87 PID 2740 wrote to memory of 1340 2740 cmd.exe 87 PID 2740 wrote to memory of 4552 2740 cmd.exe 88 PID 2740 wrote to memory of 4552 2740 cmd.exe 88 PID 2740 wrote to memory of 4552 2740 cmd.exe 88 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4892 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe"C:\Users\Admin\AppData\Local\Temp\295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\cmd.execmd.exe /c copy C:\Users\Admin\AppData\Roaming\win7Res\grldr E:\grldr / b>NUL 2>NUL &attrib E:\grldr +h +s +r &C:\Users\Admin\AppData\Roaming\win7Res\bootinst /nt60 E: &cscript C:\Windows\system32\slmgr.vbs -ilc C:\Users\Admin\AppData\Roaming\win7Res\Certificate.xrm-ms &cscript C:\Windows\system32\slmgr.vbs -ipk 49PB6-6BJ6Y-KHGCQ-7DDY6-TF7CD &C:\Windows\system32\svchost.exe -k LocalService2⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\attrib.exeattrib E:\grldr +h +s +r3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4892
-
-
C:\Users\Admin\AppData\Roaming\win7Res\bootinst.exeC:\Users\Admin\AppData\Roaming\win7Res\bootinst /nt60 E:3⤵
- Executes dropped EXE
PID:4132
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs -ilc C:\Users\Admin\AppData\Roaming\win7Res\Certificate.xrm-ms3⤵PID:4440
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs -ipk 49PB6-6BJ6Y-KHGCQ-7DDY6-TF7CD3⤵PID:1340
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:4552
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f25832af6a684360950dbb15589de34a
SHA117ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f
-
Filesize
85KB
MD570c5f6f69cdc6c5b8240622cf7d90380
SHA1d7fa00497a3d3279b547dfc913e23052b9287060
SHA256d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be
SHA512447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798
-
Filesize
85KB
MD570c5f6f69cdc6c5b8240622cf7d90380
SHA1d7fa00497a3d3279b547dfc913e23052b9287060
SHA256d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be
SHA512447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798
-
Filesize
199KB
MD5560b738b2357d5a92190d4ddf2966991
SHA15d3ed31bd12c97eadc594bcf10e758a67c4e7552
SHA25638c658da9d95ef05fea051054f021bfbfed67b7aff32a996a4b32edc9f31c287
SHA5127a25caacf68367a64d81fdb5a5629cb60dbca4425b27987d0c0885da0bfbfd410f0ea77810552a00601bcb32855f575a00082c9c4fbb78a591d0cc24ad09ecf3
-
Filesize
199KB
MD5560b738b2357d5a92190d4ddf2966991
SHA15d3ed31bd12c97eadc594bcf10e758a67c4e7552
SHA25638c658da9d95ef05fea051054f021bfbfed67b7aff32a996a4b32edc9f31c287
SHA5127a25caacf68367a64d81fdb5a5629cb60dbca4425b27987d0c0885da0bfbfd410f0ea77810552a00601bcb32855f575a00082c9c4fbb78a591d0cc24ad09ecf3