Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2023, 11:07
Static task
static1
Behavioral task
behavioral1
Sample
bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe
Resource
win10v2004-20231215-en
General
-
Target
bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe
-
Size
756KB
-
MD5
d7be2192fc7cb22db8a2acdbf4bbdafe
-
SHA1
89d97962f8d193fcb91402574046304fbfe2e89f
-
SHA256
bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324
-
SHA512
e0da02125907eade276c6489af7bccfae29ab6d07a7936dc59d3fd041d723e2840a57197fea5ba11425c37f6fe0f36570610e13ce2d7ace7823955416de6d799
-
SSDEEP
12288:FNpszYhvXWSVJdMae3mUJUTOMsa+0zNOabK3ghMZtc6NS+0Ulk287/k/MjuLle:7hvJVJdMa1+wOmK3gglSjUlkVzuLs
Malware Config
Extracted
metasploit
windows/reverse_tcp
103.116.46.219:25566
218.89.171.148:55472
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation file.com.exe Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation file.com -
Executes dropped EXE 4 IoCs
pid Process 5048 file.com.exe 2308 file.com 3900 Windows.exe 1492 dllconfig.exe -
resource yara_rule behavioral2/files/0x0007000000023246-186.dat upx behavioral2/memory/3900-187-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/files/0x0008000000023247-190.dat upx behavioral2/memory/1492-192-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/3900-195-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/1492-196-0x0000000000400000-0x0000000000419000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1148 wrote to memory of 2532 1148 bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe 92 PID 1148 wrote to memory of 2532 1148 bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe 92 PID 1148 wrote to memory of 2532 1148 bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe 92 PID 2532 wrote to memory of 5084 2532 cmd.exe 95 PID 2532 wrote to memory of 5084 2532 cmd.exe 95 PID 2532 wrote to memory of 5084 2532 cmd.exe 95 PID 2532 wrote to memory of 1852 2532 cmd.exe 96 PID 2532 wrote to memory of 1852 2532 cmd.exe 96 PID 2532 wrote to memory of 1852 2532 cmd.exe 96 PID 1552 wrote to memory of 5048 1552 explorer.exe 99 PID 1552 wrote to memory of 5048 1552 explorer.exe 99 PID 1552 wrote to memory of 5048 1552 explorer.exe 99 PID 5048 wrote to memory of 3808 5048 file.com.exe 100 PID 5048 wrote to memory of 3808 5048 file.com.exe 100 PID 5048 wrote to memory of 3808 5048 file.com.exe 100 PID 3808 wrote to memory of 2760 3808 cmd.exe 103 PID 3808 wrote to memory of 2760 3808 cmd.exe 103 PID 3808 wrote to memory of 2760 3808 cmd.exe 103 PID 3808 wrote to memory of 4636 3808 cmd.exe 104 PID 3808 wrote to memory of 4636 3808 cmd.exe 104 PID 3808 wrote to memory of 4636 3808 cmd.exe 104 PID 3260 wrote to memory of 2308 3260 explorer.exe 106 PID 3260 wrote to memory of 2308 3260 explorer.exe 106 PID 3260 wrote to memory of 2308 3260 explorer.exe 106 PID 2308 wrote to memory of 3936 2308 file.com 107 PID 2308 wrote to memory of 3936 2308 file.com 107 PID 2308 wrote to memory of 3936 2308 file.com 107 PID 3936 wrote to memory of 3900 3936 cmd.exe 109 PID 3936 wrote to memory of 3900 3936 cmd.exe 109 PID 3936 wrote to memory of 3900 3936 cmd.exe 109 PID 3936 wrote to memory of 1492 3936 cmd.exe 110 PID 3936 wrote to memory of 1492 3936 cmd.exe 110 PID 3936 wrote to memory of 1492 3936 cmd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe"C:\Users\Admin\AppData\Local\Temp\bd85a708785e2644c6e719041bfd53c3ae3f9820ea13f26e0ec08813769a1324.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.com.exe.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\certutil.execertutil -f -decode t "C:\Users\Admin\AppData\Local\Temp\file.com.exe"3⤵
- Manipulates Digital Signatures
PID:5084
-
-
C:\Windows\SysWOW64\explorer.exeexplorer "C:\Users\Admin\AppData\Local\Temp\file.com.exe"3⤵PID:1852
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\file.com.exe"C:\Users\Admin\AppData\Local\Temp\file.com.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.com.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\certutil.execertutil -f -decode t "C:\Users\Admin\AppData\Local\Temp\file.com"4⤵PID:2760
-
-
C:\Windows\SysWOW64\explorer.exeexplorer "C:\Users\Admin\AppData\Local\Temp\file.com"4⤵PID:4636
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Users\Admin\AppData\Local\Temp\file.com"C:\Users\Admin\AppData\Local\Temp\file.com"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\run.cmd" "3⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Windows.exewindows.exe4⤵
- Executes dropped EXE
PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\dllconfig.exedllconfig.exe4⤵
- Executes dropped EXE
PID:1492
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
751KB
MD53726d753ff0d8eff5ed191dd3e691cdb
SHA16f92ea3e223d0e0f83e3c9482d521c57cb675792
SHA2563101c401613b73efc4f018bcd7067c90a4eb2100808e2f5c405783cb04783c3d
SHA512694bbdc04ffb60ad9e5ba3611114294495ec739fa0ee2db8b550f8629aa18c19a85643f0b17cdebae28f73434be817b0e4da256167e46d7341a0aae6152cab9e
-
Filesize
367KB
MD567c8e63deb6c078d21d5b51cc352d1ca
SHA10320d0d2ae3695210c9b73fc42ed6111572832e4
SHA2563cd1532c0bf43cd22485796bd2d4c567162cfa66c2b21b1ae0412a042ec63df3
SHA5127abad340e1ebb72ecb58c2c9773651e41bf1323ab8efe10de635e4f9c07c325fea46767e78b225b7bf75ff407e06c1788431ae23e75843b7afa9d49ca05a1053
-
Filesize
749KB
MD552feed6878ee4648dbe6fe21671782b3
SHA19bfedc2898e0904291b3294c8c2fbd328d6e7592
SHA2561a6aba3bdad682a3d67e655daee95b7635715b82ebaad9bc3e95223bbb2003a6
SHA512fb5588e0a59aeb0f4219da6f666e289d911ab0cde488c9ca8baff1885ef94ad17b90f3c924a2ca3b5b023258bca34a2ed8f758fd687566d191a531fcc2a66af8
-
Filesize
499KB
MD5683f6a743715e2304c53a8216f54da97
SHA18d059b0c1d1ff7fe33591aa2de99f97b4555a452
SHA256a35f181237e0c0d58190273ba28d2b16ad59e219be2d30ee899e59a987141e2f
SHA512c2db4926ae4bb2e747c0c0d14c6ba6355c0f16fe1d00d9808d56984d2200f5a6270030c3c45065d95b1613db78c979ead237fb314509ee326e0c2af51a1bd764
-
Filesize
499KB
MD5fd1fe327e8242e77b8f3b039bd242dd4
SHA19ea5fce9835cdabae4793270d0c5a8bf30f30923
SHA256aa01cf95e330e3b70ec26b55037e89a25dfd252e17a72212fc95a07ec4670a87
SHA51276d292babf665af7d9d674357d017ff56e717f9dea92d4528f776c90844a3a94d01ed3684450793e144d822a530eecd357205182c0e01e8e62325fec4cfdaa44
-
Filesize
46KB
MD5142939c71fb5bb7f9b43cfb38ccf8729
SHA14065f081a84aff314de93c731f5f9d86dc0296dd
SHA256fd1e05704a4a3aa355d6b59fd59a67258d7e86ffebe1de9827f29bf7f9ed8745
SHA5121792957fb4677d343074cae9483fac221ab056ab1206e6f0a79e8c7d390f93ef3932e1acaac31f2eb7a62ba1a18d5800f2532ed8c4206c386693fc5beb4990d6
-
Filesize
47KB
MD565cb5055b52b89de9fc06d9679bb860d
SHA10e410332ecfe02b8391f2d373c89f7329a74fa51
SHA256b03f2f13751ea9600df21aa695180640224c78d37b49101711c0f725a798238c
SHA512861696f02856ae6a35b29b4e5c23a4cdaaf82086f8d59a32b1c6fed7dedc9c1162020dc91392b187c05ae774ab7a81cb5f8ff37d86ea20dd58023cf755375e8c
-
Filesize
79B
MD5c2f14c0bfe13eab879fa3eaefc4dff8a
SHA189e463f1204b5dd8615c45a8ee1f1f960a91ac1e
SHA25657dbff3fb9b8241c8f5dedaac6b5d9c4b74740636be861ed40a56033f08874a0
SHA512a7ebc4bd37bcc0d41a3d4d55485182e97d0a1fcc1a19c71a24a1a9c457efeb1650bc5dc974b7c73ba47944cb65b966e843c8f5b084763dc6efd4e0b08067f124
-
Filesize
374KB
MD5c506d5cf8cb8a67ca80e423dd7d917ce
SHA1efe86b94dbb383c406bfd4264b5edf14563336fb
SHA256cdc0053912e880b4a31e8eb6da01cf65be7271c30a9a67bdb1626c2134920ee6
SHA512bb3046fcc87566bf781dd23752cea03fd7f0f6e3d9a4b3fd4172d9d011d3b61850f6c6eb978801b49a6109a2b25d9bbd5c0169eb842d088758bf25f45fe2b21e
-
Filesize
562KB
MD589c2e2e6a0b38063c3e2eebd9f232d03
SHA1e7a9f62bb388be0907ac6f164fae30ac5d28f014
SHA25663b69c5d87b82422864376aa2d1a7e3e8bc90891ace200f33ccc0da7e3f680d2
SHA5126bfbcaa3cd0ad82ed7d08bc7948231ffb778b93a40604bc53adc8c58344a1cc2adbc80ea42b613ffe5f0c923e50475a5d9e4ba4cff4cb65a98ea698d5348a715