Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 16:35
Static task
static1
Behavioral task
behavioral1
Sample
0608850fdf4350102cc8fec8aa97f82e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0608850fdf4350102cc8fec8aa97f82e.exe
Resource
win10v2004-20231222-en
General
-
Target
0608850fdf4350102cc8fec8aa97f82e.exe
-
Size
599KB
-
MD5
0608850fdf4350102cc8fec8aa97f82e
-
SHA1
93c3dcdf197632ffac988846d3af1fcbe716fcb6
-
SHA256
047c6ab7a1f1b1d6d14628ad13143311eabf26d5a51ace2a3645cfa717c95797
-
SHA512
849ae532cac0fd9d2886fb63ca476180af552ef1eacc25f297bacc1d4206928048535e494296f47f8c37441cc4ab86c9693d601a3d60bb47dc4930090829bce5
-
SSDEEP
12288:4hTju9of43dWlrfC6dcUD6SHdD1kFwdhKcpJ4gpkJvO:4hTjuOf43orfNdhDHl10BcpJ4gp4G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2848 cbdcabficbdb.exe -
Loads dropped DLL 10 IoCs
pid Process 2332 0608850fdf4350102cc8fec8aa97f82e.exe 2332 0608850fdf4350102cc8fec8aa97f82e.exe 2332 0608850fdf4350102cc8fec8aa97f82e.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe 2876 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2876 2848 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2372 wmic.exe Token: SeSecurityPrivilege 2372 wmic.exe Token: SeTakeOwnershipPrivilege 2372 wmic.exe Token: SeLoadDriverPrivilege 2372 wmic.exe Token: SeSystemProfilePrivilege 2372 wmic.exe Token: SeSystemtimePrivilege 2372 wmic.exe Token: SeProfSingleProcessPrivilege 2372 wmic.exe Token: SeIncBasePriorityPrivilege 2372 wmic.exe Token: SeCreatePagefilePrivilege 2372 wmic.exe Token: SeBackupPrivilege 2372 wmic.exe Token: SeRestorePrivilege 2372 wmic.exe Token: SeShutdownPrivilege 2372 wmic.exe Token: SeDebugPrivilege 2372 wmic.exe Token: SeSystemEnvironmentPrivilege 2372 wmic.exe Token: SeRemoteShutdownPrivilege 2372 wmic.exe Token: SeUndockPrivilege 2372 wmic.exe Token: SeManageVolumePrivilege 2372 wmic.exe Token: 33 2372 wmic.exe Token: 34 2372 wmic.exe Token: 35 2372 wmic.exe Token: SeIncreaseQuotaPrivilege 2372 wmic.exe Token: SeSecurityPrivilege 2372 wmic.exe Token: SeTakeOwnershipPrivilege 2372 wmic.exe Token: SeLoadDriverPrivilege 2372 wmic.exe Token: SeSystemProfilePrivilege 2372 wmic.exe Token: SeSystemtimePrivilege 2372 wmic.exe Token: SeProfSingleProcessPrivilege 2372 wmic.exe Token: SeIncBasePriorityPrivilege 2372 wmic.exe Token: SeCreatePagefilePrivilege 2372 wmic.exe Token: SeBackupPrivilege 2372 wmic.exe Token: SeRestorePrivilege 2372 wmic.exe Token: SeShutdownPrivilege 2372 wmic.exe Token: SeDebugPrivilege 2372 wmic.exe Token: SeSystemEnvironmentPrivilege 2372 wmic.exe Token: SeRemoteShutdownPrivilege 2372 wmic.exe Token: SeUndockPrivilege 2372 wmic.exe Token: SeManageVolumePrivilege 2372 wmic.exe Token: 33 2372 wmic.exe Token: 34 2372 wmic.exe Token: 35 2372 wmic.exe Token: SeIncreaseQuotaPrivilege 3056 wmic.exe Token: SeSecurityPrivilege 3056 wmic.exe Token: SeTakeOwnershipPrivilege 3056 wmic.exe Token: SeLoadDriverPrivilege 3056 wmic.exe Token: SeSystemProfilePrivilege 3056 wmic.exe Token: SeSystemtimePrivilege 3056 wmic.exe Token: SeProfSingleProcessPrivilege 3056 wmic.exe Token: SeIncBasePriorityPrivilege 3056 wmic.exe Token: SeCreatePagefilePrivilege 3056 wmic.exe Token: SeBackupPrivilege 3056 wmic.exe Token: SeRestorePrivilege 3056 wmic.exe Token: SeShutdownPrivilege 3056 wmic.exe Token: SeDebugPrivilege 3056 wmic.exe Token: SeSystemEnvironmentPrivilege 3056 wmic.exe Token: SeRemoteShutdownPrivilege 3056 wmic.exe Token: SeUndockPrivilege 3056 wmic.exe Token: SeManageVolumePrivilege 3056 wmic.exe Token: 33 3056 wmic.exe Token: 34 3056 wmic.exe Token: 35 3056 wmic.exe Token: SeIncreaseQuotaPrivilege 2756 wmic.exe Token: SeSecurityPrivilege 2756 wmic.exe Token: SeTakeOwnershipPrivilege 2756 wmic.exe Token: SeLoadDriverPrivilege 2756 wmic.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2848 2332 0608850fdf4350102cc8fec8aa97f82e.exe 28 PID 2332 wrote to memory of 2848 2332 0608850fdf4350102cc8fec8aa97f82e.exe 28 PID 2332 wrote to memory of 2848 2332 0608850fdf4350102cc8fec8aa97f82e.exe 28 PID 2332 wrote to memory of 2848 2332 0608850fdf4350102cc8fec8aa97f82e.exe 28 PID 2332 wrote to memory of 2848 2332 0608850fdf4350102cc8fec8aa97f82e.exe 28 PID 2332 wrote to memory of 2848 2332 0608850fdf4350102cc8fec8aa97f82e.exe 28 PID 2332 wrote to memory of 2848 2332 0608850fdf4350102cc8fec8aa97f82e.exe 28 PID 2848 wrote to memory of 2372 2848 cbdcabficbdb.exe 29 PID 2848 wrote to memory of 2372 2848 cbdcabficbdb.exe 29 PID 2848 wrote to memory of 2372 2848 cbdcabficbdb.exe 29 PID 2848 wrote to memory of 2372 2848 cbdcabficbdb.exe 29 PID 2848 wrote to memory of 3056 2848 cbdcabficbdb.exe 32 PID 2848 wrote to memory of 3056 2848 cbdcabficbdb.exe 32 PID 2848 wrote to memory of 3056 2848 cbdcabficbdb.exe 32 PID 2848 wrote to memory of 3056 2848 cbdcabficbdb.exe 32 PID 2848 wrote to memory of 2756 2848 cbdcabficbdb.exe 34 PID 2848 wrote to memory of 2756 2848 cbdcabficbdb.exe 34 PID 2848 wrote to memory of 2756 2848 cbdcabficbdb.exe 34 PID 2848 wrote to memory of 2756 2848 cbdcabficbdb.exe 34 PID 2848 wrote to memory of 2588 2848 cbdcabficbdb.exe 36 PID 2848 wrote to memory of 2588 2848 cbdcabficbdb.exe 36 PID 2848 wrote to memory of 2588 2848 cbdcabficbdb.exe 36 PID 2848 wrote to memory of 2588 2848 cbdcabficbdb.exe 36 PID 2848 wrote to memory of 2556 2848 cbdcabficbdb.exe 38 PID 2848 wrote to memory of 2556 2848 cbdcabficbdb.exe 38 PID 2848 wrote to memory of 2556 2848 cbdcabficbdb.exe 38 PID 2848 wrote to memory of 2556 2848 cbdcabficbdb.exe 38 PID 2848 wrote to memory of 2876 2848 cbdcabficbdb.exe 40 PID 2848 wrote to memory of 2876 2848 cbdcabficbdb.exe 40 PID 2848 wrote to memory of 2876 2848 cbdcabficbdb.exe 40 PID 2848 wrote to memory of 2876 2848 cbdcabficbdb.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\0608850fdf4350102cc8fec8aa97f82e.exe"C:\Users\Admin\AppData\Local\Temp\0608850fdf4350102cc8fec8aa97f82e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\cbdcabficbdb.exeC:\Users\Admin\AppData\Local\Temp\cbdcabficbdb.exe 4-8-8-8-5-5-7-9-2-4-3 K0hBPDgxKygvHCxPTTpIRD82Jx4rS0FMT0dNRkI7Oy0dKzxBS09EPTQwMS8wLxgnPkQ9NC4cLExKRzxQPk1WR0A6LiwsKzMbKEpDTlNBSldNTUc2X3JwbTYnJ2tgbW8lcmRiKVloaChfWmtfKmZqXmcYKj5FQEFHRkA1GCc/LDYkLxwsQCo1JSwbKDsxOSotGCc8LzgmKB4rQTE1JSkbKklJTUBSP0xXSE1ETzhBVTocJ0hKSj9OOlJbQlFEOTUbKklJTUBSP0xXRjxIPjRLZWBuZ2tnYW8eKS5QbGtkY2FvICsnMCoyKisYJ0BTPlZTTkk5YGxsazUoJnVzdCplYVttamxmZHAqcGdnZGZkbSVha2orRWFbbWpsZmRwIi4oTGdqZ2RgcipidF0YJ0BTPlZBSUFIQUY9OBsoP01PUVs6SkdSTj5JOy4dK0xAOUlGUkZTW1JORDUYKlFGNDAcLEBLKTVIZFxpbW9sYmwdKitPaGZqZ2ZwHSooLSkuJTEcLE5NRkxESD5WVUFJP0dFPURIOj5DUU9INRgnRE5YSVNKUUVFPTVvbW5cHitPQUxNSklERz5dUVBBSlc8PFRMNDAcLERBPD1TOCoXLUVQWzxRRjxIQjpdQUs/SlFIT0A9NGRdaW9dGCc/SlBFSks+QFdBSDgtKSksLTU0Ji0wKSwsKR4rUUVFPTUsLysqNTUyMi0pGCo/SE5MSEw9PFdMREg+NDArLi8nKigsMCMpODA0NispIjxI2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703443405.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703443405.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703443405.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703443405.txt bios get version3⤵PID:2588
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703443405.txt bios get version3⤵PID:2556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 3723⤵
- Loads dropped DLL
- Program crash
PID:2876
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
726KB
MD57f63a1f1fc4642997a90d62ced8b017c
SHA1cf7ce264af5ab84c5b7e2096771b8dd580b06ba9
SHA256944f7b89dc828e57a19de3028974c2a368c800696eb6d40b5de5e8828737c643
SHA512e9610c672f806175ca43d56e220eeef67c84d8ae7935217ccd43cfdedd19272f8bb62df7d214ec0ea1cfcd0d02e5c25debcc796d658278ec93e76f86b8512c35
-
Filesize
824KB
MD53e6fc2496ba4130b61701ff7d8f83a34
SHA10fa3c351ceecea294c5feb200e1f6262475ec938
SHA256ab3d180777bcebd4b08deaf7841dd5d9a8718ea2438e42ebcff5cfb2460d1972
SHA5124dca301ad2de547173b94ddb47728a74dbc629926fff59658573a54275fd76e252c65968bf4a22d83f5c77bcb2bacf35bdf9bbacdeab6c408a6ddd938768d874
-
Filesize
120KB
MD575857a33cbbaa6d6ad58ef9d7517cde5
SHA168dfd7ca54ab9a813a831d5c76ddafbc5ba7a0a4
SHA2567bd3a9c95b88eca88a487345cae58a95d32888b60eeb4a6eb4c72fc65f635581
SHA5120aafaa011c9b030023f37492bc755050b116364bf3410dfbd2236e53ce587c91abecdd2ab0e3b00307c56c5cc0f41835739d6711a341e50129ef37b85f23f9c1
-
Filesize
40KB
MD55f13dbc378792f23e598079fc1e4422b
SHA15813c05802f15930aa860b8363af2b58426c8adf
SHA2566e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA5129270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5