Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 16:35

General

  • Target

    0608850fdf4350102cc8fec8aa97f82e.exe

  • Size

    599KB

  • MD5

    0608850fdf4350102cc8fec8aa97f82e

  • SHA1

    93c3dcdf197632ffac988846d3af1fcbe716fcb6

  • SHA256

    047c6ab7a1f1b1d6d14628ad13143311eabf26d5a51ace2a3645cfa717c95797

  • SHA512

    849ae532cac0fd9d2886fb63ca476180af552ef1eacc25f297bacc1d4206928048535e494296f47f8c37441cc4ab86c9693d601a3d60bb47dc4930090829bce5

  • SSDEEP

    12288:4hTju9of43dWlrfC6dcUD6SHdD1kFwdhKcpJ4gpkJvO:4hTjuOf43orfNdhDHl10BcpJ4gp4G

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0608850fdf4350102cc8fec8aa97f82e.exe
    "C:\Users\Admin\AppData\Local\Temp\0608850fdf4350102cc8fec8aa97f82e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\cbdcabficbdb.exe
      C:\Users\Admin\AppData\Local\Temp\cbdcabficbdb.exe 4-8-8-8-5-5-7-9-2-4-3 K0hBPDgxKygvHCxPTTpIRD82Jx4rS0FMT0dNRkI7Oy0dKzxBS09EPTQwMS8wLxgnPkQ9NC4cLExKRzxQPk1WR0A6LiwsKzMbKEpDTlNBSldNTUc2X3JwbTYnJ2tgbW8lcmRiKVloaChfWmtfKmZqXmcYKj5FQEFHRkA1GCc/LDYkLxwsQCo1JSwbKDsxOSotGCc8LzgmKB4rQTE1JSkbKklJTUBSP0xXSE1ETzhBVTocJ0hKSj9OOlJbQlFEOTUbKklJTUBSP0xXRjxIPjRLZWBuZ2tnYW8eKS5QbGtkY2FvICsnMCoyKisYJ0BTPlZTTkk5YGxsazUoJnVzdCplYVttamxmZHAqcGdnZGZkbSVha2orRWFbbWpsZmRwIi4oTGdqZ2RgcipidF0YJ0BTPlZBSUFIQUY9OBsoP01PUVs6SkdSTj5JOy4dK0xAOUlGUkZTW1JORDUYKlFGNDAcLEBLKTVIZFxpbW9sYmwdKitPaGZqZ2ZwHSooLSkuJTEcLE5NRkxESD5WVUFJP0dFPURIOj5DUU9INRgnRE5YSVNKUUVFPTVvbW5cHitPQUxNSklERz5dUVBBSlc8PFRMNDAcLERBPD1TOCoXLUVQWzxRRjxIQjpdQUs/SlFIT0A9NGRdaW9dGCc/SlBFSks+QFdBSDgtKSksLTU0Ji0wKSwsKR4rUUVFPTUsLysqNTUyMi0pGCo/SE5MSEw9PFdMREg+NDArLi8nKigsMCMpODA0NispIjxI
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703443405.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2372
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703443405.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3056
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703443405.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703443405.txt bios get version
        3⤵
          PID:2588
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81703443405.txt bios get version
          3⤵
            PID:2556
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 372
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:2876

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\81703443405.txt

        Filesize

        66B

        MD5

        9025468f85256136f923096b01375964

        SHA1

        7fcd174999661594fa5f88890ffb195e9858cc52

        SHA256

        d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

        SHA512

        92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

      • C:\Users\Admin\AppData\Local\Temp\cbdcabficbdb.exe

        Filesize

        726KB

        MD5

        7f63a1f1fc4642997a90d62ced8b017c

        SHA1

        cf7ce264af5ab84c5b7e2096771b8dd580b06ba9

        SHA256

        944f7b89dc828e57a19de3028974c2a368c800696eb6d40b5de5e8828737c643

        SHA512

        e9610c672f806175ca43d56e220eeef67c84d8ae7935217ccd43cfdedd19272f8bb62df7d214ec0ea1cfcd0d02e5c25debcc796d658278ec93e76f86b8512c35

      • \Users\Admin\AppData\Local\Temp\cbdcabficbdb.exe

        Filesize

        824KB

        MD5

        3e6fc2496ba4130b61701ff7d8f83a34

        SHA1

        0fa3c351ceecea294c5feb200e1f6262475ec938

        SHA256

        ab3d180777bcebd4b08deaf7841dd5d9a8718ea2438e42ebcff5cfb2460d1972

        SHA512

        4dca301ad2de547173b94ddb47728a74dbc629926fff59658573a54275fd76e252c65968bf4a22d83f5c77bcb2bacf35bdf9bbacdeab6c408a6ddd938768d874

      • \Users\Admin\AppData\Local\Temp\nst4E50.tmp\dmc.dll

        Filesize

        120KB

        MD5

        75857a33cbbaa6d6ad58ef9d7517cde5

        SHA1

        68dfd7ca54ab9a813a831d5c76ddafbc5ba7a0a4

        SHA256

        7bd3a9c95b88eca88a487345cae58a95d32888b60eeb4a6eb4c72fc65f635581

        SHA512

        0aafaa011c9b030023f37492bc755050b116364bf3410dfbd2236e53ce587c91abecdd2ab0e3b00307c56c5cc0f41835739d6711a341e50129ef37b85f23f9c1

      • \Users\Admin\AppData\Local\Temp\nst4E50.tmp\nsisunz.dll

        Filesize

        40KB

        MD5

        5f13dbc378792f23e598079fc1e4422b

        SHA1

        5813c05802f15930aa860b8363af2b58426c8adf

        SHA256

        6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

        SHA512

        9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5