Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21/03/2023, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
Resource
win7-20230220-en
General
-
Target
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
-
Size
3.8MB
-
MD5
d07b7112b39c9eee7eaeba1adb099543
-
SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c
-
SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
-
SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
SSDEEP
98304:cCtEONaf1kMdpRfZJDRJwdaUNa8gPgEICG6x098gJ2uCB9Ml:RE0UkkHRJuNawLCG6x+8gJFm
Malware Config
Extracted
bitrat
1.38
74.201.28.92:3569
-
communication_password
148b191cf4e80b549e1b1a4444f2bdf6
-
tor_process
tor
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1668 tewu.exe 1724 tewu.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 848 vbc.exe 848 vbc.exe 848 vbc.exe 848 vbc.exe 848 vbc.exe 1660 vbc.exe 580 vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1320 set thread context of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1668 set thread context of 1660 1668 tewu.exe 38 PID 1724 set thread context of 580 1724 tewu.exe 47 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2004 schtasks.exe 584 schtasks.exe 1584 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 848 vbc.exe Token: SeShutdownPrivilege 848 vbc.exe Token: SeDebugPrivilege 1660 vbc.exe Token: SeShutdownPrivilege 1660 vbc.exe Token: SeDebugPrivilege 580 vbc.exe Token: SeShutdownPrivilege 580 vbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 848 vbc.exe 848 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 848 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 28 PID 1320 wrote to memory of 1948 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 29 PID 1320 wrote to memory of 1948 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 29 PID 1320 wrote to memory of 1948 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 29 PID 1320 wrote to memory of 1948 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 29 PID 1320 wrote to memory of 1040 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 31 PID 1320 wrote to memory of 1040 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 31 PID 1320 wrote to memory of 1040 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 31 PID 1320 wrote to memory of 1040 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 31 PID 1320 wrote to memory of 996 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 30 PID 1320 wrote to memory of 996 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 30 PID 1320 wrote to memory of 996 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 30 PID 1320 wrote to memory of 996 1320 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe 30 PID 1040 wrote to memory of 584 1040 cmd.exe 35 PID 1040 wrote to memory of 584 1040 cmd.exe 35 PID 1040 wrote to memory of 584 1040 cmd.exe 35 PID 1040 wrote to memory of 584 1040 cmd.exe 35 PID 2036 wrote to memory of 1668 2036 taskeng.exe 37 PID 2036 wrote to memory of 1668 2036 taskeng.exe 37 PID 2036 wrote to memory of 1668 2036 taskeng.exe 37 PID 2036 wrote to memory of 1668 2036 taskeng.exe 37 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1660 1668 tewu.exe 38 PID 1668 wrote to memory of 1312 1668 tewu.exe 39 PID 1668 wrote to memory of 1312 1668 tewu.exe 39 PID 1668 wrote to memory of 1312 1668 tewu.exe 39 PID 1668 wrote to memory of 1312 1668 tewu.exe 39 PID 1668 wrote to memory of 940 1668 tewu.exe 40 PID 1668 wrote to memory of 940 1668 tewu.exe 40 PID 1668 wrote to memory of 940 1668 tewu.exe 40 PID 1668 wrote to memory of 940 1668 tewu.exe 40 PID 1668 wrote to memory of 1816 1668 tewu.exe 42 PID 1668 wrote to memory of 1816 1668 tewu.exe 42 PID 1668 wrote to memory of 1816 1668 tewu.exe 42 PID 1668 wrote to memory of 1816 1668 tewu.exe 42 PID 940 wrote to memory of 1584 940 cmd.exe 45 PID 940 wrote to memory of 1584 940 cmd.exe 45 PID 940 wrote to memory of 1584 940 cmd.exe 45 PID 940 wrote to memory of 1584 940 cmd.exe 45 PID 2036 wrote to memory of 1724 2036 taskeng.exe 46 PID 2036 wrote to memory of 1724 2036 taskeng.exe 46 PID 2036 wrote to memory of 1724 2036 taskeng.exe 46 PID 2036 wrote to memory of 1724 2036 taskeng.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe"C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:848
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"2⤵PID:1948
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"2⤵PID:996
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f3⤵
- Creates scheduled task(s)
PID:584
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E7486573-CB93-4D1D-BED5-B162C628DE79} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeC:\Users\Admin\AppData\Roaming\tewu\tewu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"3⤵PID:1312
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f4⤵
- Creates scheduled task(s)
PID:1584
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"3⤵PID:1816
-
-
-
C:\Users\Admin\AppData\Roaming\tewu\tewu.exeC:\Users\Admin\AppData\Roaming\tewu\tewu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"3⤵PID:2040
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f3⤵PID:112
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f4⤵
- Creates scheduled task(s)
PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"3⤵PID:1768
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
Filesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
-
Filesize
3.8MB
MD5d07b7112b39c9eee7eaeba1adb099543
SHA11df70cc161540228240e1dde290ac2f5efcfbb0c
SHA2561c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA5129f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135