Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2023, 09:15
Static task
static1
Behavioral task
behavioral1
Sample
bc6d0f5310b07c547a00da11a5de2d2af380abd2466275049ab2494eb35c0d86.exe
Resource
win10v2004-20220812-en
General
-
Target
bc6d0f5310b07c547a00da11a5de2d2af380abd2466275049ab2494eb35c0d86.exe
-
Size
739KB
-
MD5
053fa9459e85147d492f405338c6910e
-
SHA1
8a6f75193c2238db678a6d8eb691b5e2a54f67b5
-
SHA256
bc6d0f5310b07c547a00da11a5de2d2af380abd2466275049ab2494eb35c0d86
-
SHA512
a8f40fff08b26883e08f71ff69cffd0442009825e37b10dc1da666d1b6dea336a78fbe6b72704ae43c0ff1dd7490a9b9d6ba70659eba399cfc712ef7519addf5
-
SSDEEP
12288:7Mrcy90RzR4P5LAkrAQiPFCBh+Ai4Ox0X7YszppdPFWGW7OYHAThZ+LMfG2v:LyCRW7rNidqh+9rxC7PppdPPWvH4hgLS
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3880 vHn17.exe 4248 vps78.exe 4636 dOm27.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bc6d0f5310b07c547a00da11a5de2d2af380abd2466275049ab2494eb35c0d86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bc6d0f5310b07c547a00da11a5de2d2af380abd2466275049ab2494eb35c0d86.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vHn17.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vHn17.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vps78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vps78.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4636 dOm27.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4332 wrote to memory of 3880 4332 bc6d0f5310b07c547a00da11a5de2d2af380abd2466275049ab2494eb35c0d86.exe 79 PID 4332 wrote to memory of 3880 4332 bc6d0f5310b07c547a00da11a5de2d2af380abd2466275049ab2494eb35c0d86.exe 79 PID 4332 wrote to memory of 3880 4332 bc6d0f5310b07c547a00da11a5de2d2af380abd2466275049ab2494eb35c0d86.exe 79 PID 3880 wrote to memory of 4248 3880 vHn17.exe 80 PID 3880 wrote to memory of 4248 3880 vHn17.exe 80 PID 3880 wrote to memory of 4248 3880 vHn17.exe 80 PID 4248 wrote to memory of 4636 4248 vps78.exe 81 PID 4248 wrote to memory of 4636 4248 vps78.exe 81 PID 4248 wrote to memory of 4636 4248 vps78.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc6d0f5310b07c547a00da11a5de2d2af380abd2466275049ab2494eb35c0d86.exe"C:\Users\Admin\AppData\Local\Temp\bc6d0f5310b07c547a00da11a5de2d2af380abd2466275049ab2494eb35c0d86.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHn17.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vHn17.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vps78.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vps78.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dOm27.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dOm27.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
635KB
MD5aaa35f330424fd6e843c75c0c4294d95
SHA1948b2d50cbb9b23d047626d53057d4666c6136f1
SHA256ed41d0310ef1a59a3050bedc841884c3a8daf9d597653414b5096d1305576bcd
SHA51241bee1fdf2e2bf5cce63d650812cb5904e6e5eb8af71fb86d66d6200191292f8ad3264cc6819ea0e3cde0c482707e0814a62de1e928afca4445053f21971d1e0
-
Filesize
635KB
MD5aaa35f330424fd6e843c75c0c4294d95
SHA1948b2d50cbb9b23d047626d53057d4666c6136f1
SHA256ed41d0310ef1a59a3050bedc841884c3a8daf9d597653414b5096d1305576bcd
SHA51241bee1fdf2e2bf5cce63d650812cb5904e6e5eb8af71fb86d66d6200191292f8ad3264cc6819ea0e3cde0c482707e0814a62de1e928afca4445053f21971d1e0
-
Filesize
490KB
MD5d83f43af43a86fdf14cdab385119b1a3
SHA166a33acf0907d95c606fd110b60335787ab02b3e
SHA25642c4a239c24ce267305ba7ba10f58b385df2b82b9bb7fcaf4e5f8c975d9a3151
SHA5127c76920401b671c844aca0c44e522215e374d535f3beebb907796c763db656cf3209a9b82f93f23399c1bea31c5807bbec9a416d1e8e38d9ac056038e42ba9d3
-
Filesize
490KB
MD5d83f43af43a86fdf14cdab385119b1a3
SHA166a33acf0907d95c606fd110b60335787ab02b3e
SHA25642c4a239c24ce267305ba7ba10f58b385df2b82b9bb7fcaf4e5f8c975d9a3151
SHA5127c76920401b671c844aca0c44e522215e374d535f3beebb907796c763db656cf3209a9b82f93f23399c1bea31c5807bbec9a416d1e8e38d9ac056038e42ba9d3
-
Filesize
279KB
MD562620b58e5ea5b8d240b73fec4203422
SHA1394220113df9b5af5d5dba10f8ae695d5e43e183
SHA256db45f6b42ded0701d23fa902e933c57a4d72667b5f5af023f8002564f62e482e
SHA512c12a878551f5fec683c6bb40dc8fcd736fcdbc87db7db8ae6d750b5efe22ca2aa08ee7a0172eb9eecfda77a95707ce05cfb3b6455b6aa846232c209e676ca188
-
Filesize
279KB
MD562620b58e5ea5b8d240b73fec4203422
SHA1394220113df9b5af5d5dba10f8ae695d5e43e183
SHA256db45f6b42ded0701d23fa902e933c57a4d72667b5f5af023f8002564f62e482e
SHA512c12a878551f5fec683c6bb40dc8fcd736fcdbc87db7db8ae6d750b5efe22ca2aa08ee7a0172eb9eecfda77a95707ce05cfb3b6455b6aa846232c209e676ca188