Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
37s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 20:08
Static task
static1
Behavioral task
behavioral1
Sample
e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe
Resource
win10v2004-20230220-en
General
-
Target
e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe
-
Size
1.3MB
-
MD5
accbbf5ca2c67a5d6f0b4bab71b5a81d
-
SHA1
61816822b97a25ad36575520560c4eaca7876d7c
-
SHA256
e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395
-
SHA512
4fce6d4a824ff290c3b36d54e477c1d17050d28cc2d43defa4aa90f7715bc9b2b5a41b8b41518d573206788ccd36b7026f5d65064e7465809680b6be97aa8c2f
-
SSDEEP
24576:DTbBv5rUDwcyw5LAXjXXRQFX8KZHbK5sUdSpUUBQjqfYTfz7V2EggiVE1+:dB1cL5UtQSWobCUUZ8V2Egy+
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 760 kjnoepc.pif 648 RegSvcs.exe 1764 RegSvcs.exe -
Loads dropped DLL 3 IoCs
pid Process 1868 wscript.exe 760 kjnoepc.pif 760 kjnoepc.pif -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run kjnoepc.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsbo\\kjnoepc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\vsbo\\wdnwqnp.msc" kjnoepc.pif -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 760 set thread context of 648 760 kjnoepc.pif 31 PID 760 set thread context of 1764 760 kjnoepc.pif 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1764 RegSvcs.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1868 2016 e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe 28 PID 2016 wrote to memory of 1868 2016 e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe 28 PID 2016 wrote to memory of 1868 2016 e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe 28 PID 2016 wrote to memory of 1868 2016 e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe 28 PID 1868 wrote to memory of 760 1868 wscript.exe 29 PID 1868 wrote to memory of 760 1868 wscript.exe 29 PID 1868 wrote to memory of 760 1868 wscript.exe 29 PID 1868 wrote to memory of 760 1868 wscript.exe 29 PID 760 wrote to memory of 1764 760 kjnoepc.pif 30 PID 760 wrote to memory of 1764 760 kjnoepc.pif 30 PID 760 wrote to memory of 1764 760 kjnoepc.pif 30 PID 760 wrote to memory of 1764 760 kjnoepc.pif 30 PID 760 wrote to memory of 1764 760 kjnoepc.pif 30 PID 760 wrote to memory of 1764 760 kjnoepc.pif 30 PID 760 wrote to memory of 1764 760 kjnoepc.pif 30 PID 760 wrote to memory of 648 760 kjnoepc.pif 31 PID 760 wrote to memory of 648 760 kjnoepc.pif 31 PID 760 wrote to memory of 648 760 kjnoepc.pif 31 PID 760 wrote to memory of 648 760 kjnoepc.pif 31 PID 760 wrote to memory of 648 760 kjnoepc.pif 31 PID 760 wrote to memory of 648 760 kjnoepc.pif 31 PID 760 wrote to memory of 648 760 kjnoepc.pif 31 PID 760 wrote to memory of 648 760 kjnoepc.pif 31 PID 760 wrote to memory of 1764 760 kjnoepc.pif 30 PID 760 wrote to memory of 1764 760 kjnoepc.pif 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe"C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" Update-ru.u.vbe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif"C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif" wdnwqnp.msc3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1764
-
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
PID:648
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
710KB
MD5eaead7d8d4ba97c305489a6ddbd159b2
SHA10fba620f34155f5b713bc9f100ac645689a6597a
SHA25679958339e5bc02f83b8503ee985901e10697cb7d69b5257c24c90576f7311e93
SHA5121c7f5ec4e7336a6cec7c765ed6c7ec903f9cef28bd961ea269b11ec9a53311f438f0f8a25cfec7ecc62049914b9cf7f50b95ef42d2bb8265583201d304952190
-
Filesize
1.1MB
MD5b89e79a5a62c0264887be1c4ffae159d
SHA1d682713d6dce62f880e3c47f0745f0869a928167
SHA2561f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99
SHA512dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085
-
Filesize
1.1MB
MD5b89e79a5a62c0264887be1c4ffae159d
SHA1d682713d6dce62f880e3c47f0745f0869a928167
SHA2561f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99
SHA512dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085
-
Filesize
36KB
MD591e9ffe8f25752e6bf3b68772c1597c3
SHA13e4b2f8c1fa1f43b2446c31892a12c53c19d70b0
SHA256e0bf95af30877dc005c3a4188b07acec9f8304c6077f94bb6601141945b94669
SHA5128c15224737894a0f0b2a8f9a771d22b16ed8acbeba70d660e73fadf3905aa550ef574dc1cb1935f89d9ca47dfe3a81b63687591a5f62a6e81afad59d9651b09a
-
Filesize
104.2MB
MD5ff9335ab2246b275af6f3d74ae9a990e
SHA1214327ef48e858f8e980ee97b174225441770dbb
SHA256c6cf8e1b8c95ad76f9bf1cd8d2e8aa59d08b5a6d968cae992415dc9d8a7167e5
SHA51297ffb7effd04cf3108b7b84911b3bccbbe16f919322cc489695f9c63826472a1c891da82b85cb1ac041fad934a911566d587124627c5cc4c66d5d6d3e197dc15
-
Filesize
58KB
MD5fd341bcb4b6d49d85ce7a6f5cd41189c
SHA161bb21e3a95a482ee2bd56afa5988ce3d6d70305
SHA25649682c4ff8ce861f43dfebae6bd90b6ad4d5767dd1c23d88b8ee7c8c700840fa
SHA51227993836fd1d58e6e296736df124c49e3aa75fd1f8cb70074cfb0007b238ab842560aae1fc7e29cc06d37358811cf9f7005944517d46b79f8669373ef9c67b14
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
1.1MB
MD5b89e79a5a62c0264887be1c4ffae159d
SHA1d682713d6dce62f880e3c47f0745f0869a928167
SHA2561f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99
SHA512dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085