Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 14:14

General

  • Target

    bbf34c5689b80de64562c1307183ea14.exe

  • Size

    197KB

  • MD5

    bbf34c5689b80de64562c1307183ea14

  • SHA1

    31d5213b7f06287578e2b17f4555d34a393b3e64

  • SHA256

    8c544dd1913721c28f59f0a459da678d4f59fe9da3d09649f7d72470ca44d9fd

  • SHA512

    ea53c1e9478d23e2cc168bbc91fdadefab3c7eed837b6976cf1df372e7af9f1c8f0d28240522421dcec2ce4cf50a32931d9932a7d6612105a48a70fdb850a7bc

  • SSDEEP

    6144:Om3UslV28FMEQUTYan9QD80sLbCuUhm08Z4:OmEslVnrbdM83G

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbf34c5689b80de64562c1307183ea14.exe
    "C:\Users\Admin\AppData\Local\Temp\bbf34c5689b80de64562c1307183ea14.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2356
    • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
      c:\users\admin\appdata\local\temp\\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1220
      • \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
        c:\users\admin\appdata\local\temp\\wmpscfgs.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2960
    • C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:275457 /prefetch:2
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:1192
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:472069 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2348
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:275480 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    252B

    MD5

    972638d5eac518692a891e56ee3717e8

    SHA1

    c10357bc5d5730c54eaec4156e3c3d3dc093f9c4

    SHA256

    e51d0ba4921da32bf65189792bcf576f5dee14aefdb6f67ec730b4f84f16db76

    SHA512

    d0f085de72fe01fbb53f44b7b20efd2c68424f75566ddc38105cbdd061bafee4011153532a437faac6a619149f1c61d116f8995630a65f7143ae0366cde87611

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    5647119721304b69c79f69766e5b652a

    SHA1

    a64527ddde259133bdcff9bca1fd4c9be847b6d9

    SHA256

    a57e941b4f65dc092554c2bd2cf59680ab9d4c6dce99e782e3dfaa9cdff9abe4

    SHA512

    814293b5f6a33f1cf1aa0f0933b251d02d717ea1ab29b0cdeaa364c289933be4e36d935b9b9b6c10c4c6c04288cfaf73597e5f557fad2dcaf66195962b1e5211

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    b1824367aeacebb85593fc104cc39637

    SHA1

    89b5730cc5dce7788518f66b01244572568d7193

    SHA256

    b92327a4a4c3d634eb1bd2bd0d0cdc603cf7ec0c106a3b4394c247d439855fbc

    SHA512

    b423da202ffb50b2d8c024f0dd8033f5365a00ee6b0341db74acc1a54afe41ade4b55bbef7bd6491c47d6c50760a029a2fe55589503eeafd587f1e2ddc109f2c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    87041e53b038097e12dcbc62f3688bac

    SHA1

    5274b34bb4117b348ff40975288b7feeb52558de

    SHA256

    b9166ee5b8afb9b543b91cae5aadbb37abcae65e4c1113f869ce92f8c8437981

    SHA512

    f8714312da0cf8d59535e725d8a819d58e4bb0cfe50fd72a761ba2b22e1071c12dae274c1fc97298e63e926f4b3d0f8663912cc6e7d581daf9d352893525b347

  • C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

    Filesize

    221KB

    MD5

    e135b8dbe296e701326819e5ad7316c2

    SHA1

    0264229b32c8d027d8c2d5245c0effc544070c19

    SHA256

    57b71a8f4296975c07a1e7a5b61e7540c557971ff307e4480a6bb4f70acd1ead

    SHA512

    9dcee1fc53882787e63ab32fa2ffc4f699adffdb48feffa10a748bf41af92199caef2f675045faf14aab0018a61c9dfd15a9b22b9c5067470eed583861a4b485

  • C:\Users\Admin\AppData\Local\Temp\~DF030E1C322A463C33.TMP

    Filesize

    16KB

    MD5

    07f38e392b76ec6448feff496701b509

    SHA1

    2212e64ca3253c55373a8c1d578f07ef1fa53801

    SHA256

    3051fffc6856165941858403f5b71639d0dd846cd757a7b18c07a3fd020cc1b3

    SHA512

    8084bd52a92d8f21cacb0297b7253114e6316d126bd3f79e3f4d4db38999871c2df6a1be221d5938e965949b5fbbf4b8b300a3161c6d3c7f2614aa3867f07645

  • \Program Files (x86)\Internet Explorer\wmpscfgs.exe

    Filesize

    207KB

    MD5

    8e053ff4eeded62c9a70bfd486c11827

    SHA1

    b158a7da8ec1a354673336f5674b0aede9c227cd

    SHA256

    f3cf78187d8ee0b6cf139324121aba5e167ba53ab1eb2f159a0cba6dba88d5e5

    SHA512

    9c2673e3e6dd30f31942eb91ba84c6cc43bbb06035f682ce366e4588c3313b1bca8f468ffa1997097e471848b25be3beb08ea67d870215a0e5d587747440405a

  • memory/1716-32-0x0000000000380000-0x0000000000382000-memory.dmp

    Filesize

    8KB

  • memory/2228-22-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB

  • memory/2228-46-0x0000000000560000-0x0000000000562000-memory.dmp

    Filesize

    8KB

  • memory/2356-0-0x0000000010000000-0x0000000010010000-memory.dmp

    Filesize

    64KB