Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
106ce9f941d28e6d18ebea1ba1cedee4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
106ce9f941d28e6d18ebea1ba1cedee4.exe
Resource
win10v2004-20231215-en
General
-
Target
106ce9f941d28e6d18ebea1ba1cedee4.exe
-
Size
567KB
-
MD5
106ce9f941d28e6d18ebea1ba1cedee4
-
SHA1
f0f3be3e6e0d133a46910b1c1562dad91e5218e0
-
SHA256
225776aa635fa530432abbee4c30760fc748a5a7d0b2668059287f702afed484
-
SHA512
0276a3247c12fdbf3f73416182ccba1884301ce54859630ccb5749a5fb71780e8e9ee18e39902ba52d15a5c6914511a238fb616ad356936e9c1e5aded2ee47ae
-
SSDEEP
12288:RSqCaEZZ2TusjEi3fLuSv1UFEyt652c5phCX8xvNkmw1cBYV0azPVc:RSnsusl3ThvuSX2AhCs5Nbw1cCV0azO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2848 ecfcabfbcibf.exe -
Loads dropped DLL 10 IoCs
pid Process 2304 106ce9f941d28e6d18ebea1ba1cedee4.exe 2304 106ce9f941d28e6d18ebea1ba1cedee4.exe 2304 106ce9f941d28e6d18ebea1ba1cedee4.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe 972 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 972 2848 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2904 wmic.exe Token: SeSecurityPrivilege 2904 wmic.exe Token: SeTakeOwnershipPrivilege 2904 wmic.exe Token: SeLoadDriverPrivilege 2904 wmic.exe Token: SeSystemProfilePrivilege 2904 wmic.exe Token: SeSystemtimePrivilege 2904 wmic.exe Token: SeProfSingleProcessPrivilege 2904 wmic.exe Token: SeIncBasePriorityPrivilege 2904 wmic.exe Token: SeCreatePagefilePrivilege 2904 wmic.exe Token: SeBackupPrivilege 2904 wmic.exe Token: SeRestorePrivilege 2904 wmic.exe Token: SeShutdownPrivilege 2904 wmic.exe Token: SeDebugPrivilege 2904 wmic.exe Token: SeSystemEnvironmentPrivilege 2904 wmic.exe Token: SeRemoteShutdownPrivilege 2904 wmic.exe Token: SeUndockPrivilege 2904 wmic.exe Token: SeManageVolumePrivilege 2904 wmic.exe Token: 33 2904 wmic.exe Token: 34 2904 wmic.exe Token: 35 2904 wmic.exe Token: SeIncreaseQuotaPrivilege 2904 wmic.exe Token: SeSecurityPrivilege 2904 wmic.exe Token: SeTakeOwnershipPrivilege 2904 wmic.exe Token: SeLoadDriverPrivilege 2904 wmic.exe Token: SeSystemProfilePrivilege 2904 wmic.exe Token: SeSystemtimePrivilege 2904 wmic.exe Token: SeProfSingleProcessPrivilege 2904 wmic.exe Token: SeIncBasePriorityPrivilege 2904 wmic.exe Token: SeCreatePagefilePrivilege 2904 wmic.exe Token: SeBackupPrivilege 2904 wmic.exe Token: SeRestorePrivilege 2904 wmic.exe Token: SeShutdownPrivilege 2904 wmic.exe Token: SeDebugPrivilege 2904 wmic.exe Token: SeSystemEnvironmentPrivilege 2904 wmic.exe Token: SeRemoteShutdownPrivilege 2904 wmic.exe Token: SeUndockPrivilege 2904 wmic.exe Token: SeManageVolumePrivilege 2904 wmic.exe Token: 33 2904 wmic.exe Token: 34 2904 wmic.exe Token: 35 2904 wmic.exe Token: SeIncreaseQuotaPrivilege 2956 wmic.exe Token: SeSecurityPrivilege 2956 wmic.exe Token: SeTakeOwnershipPrivilege 2956 wmic.exe Token: SeLoadDriverPrivilege 2956 wmic.exe Token: SeSystemProfilePrivilege 2956 wmic.exe Token: SeSystemtimePrivilege 2956 wmic.exe Token: SeProfSingleProcessPrivilege 2956 wmic.exe Token: SeIncBasePriorityPrivilege 2956 wmic.exe Token: SeCreatePagefilePrivilege 2956 wmic.exe Token: SeBackupPrivilege 2956 wmic.exe Token: SeRestorePrivilege 2956 wmic.exe Token: SeShutdownPrivilege 2956 wmic.exe Token: SeDebugPrivilege 2956 wmic.exe Token: SeSystemEnvironmentPrivilege 2956 wmic.exe Token: SeRemoteShutdownPrivilege 2956 wmic.exe Token: SeUndockPrivilege 2956 wmic.exe Token: SeManageVolumePrivilege 2956 wmic.exe Token: 33 2956 wmic.exe Token: 34 2956 wmic.exe Token: 35 2956 wmic.exe Token: SeIncreaseQuotaPrivilege 2628 wmic.exe Token: SeSecurityPrivilege 2628 wmic.exe Token: SeTakeOwnershipPrivilege 2628 wmic.exe Token: SeLoadDriverPrivilege 2628 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2848 2304 106ce9f941d28e6d18ebea1ba1cedee4.exe 28 PID 2304 wrote to memory of 2848 2304 106ce9f941d28e6d18ebea1ba1cedee4.exe 28 PID 2304 wrote to memory of 2848 2304 106ce9f941d28e6d18ebea1ba1cedee4.exe 28 PID 2304 wrote to memory of 2848 2304 106ce9f941d28e6d18ebea1ba1cedee4.exe 28 PID 2848 wrote to memory of 2904 2848 ecfcabfbcibf.exe 29 PID 2848 wrote to memory of 2904 2848 ecfcabfbcibf.exe 29 PID 2848 wrote to memory of 2904 2848 ecfcabfbcibf.exe 29 PID 2848 wrote to memory of 2904 2848 ecfcabfbcibf.exe 29 PID 2848 wrote to memory of 2956 2848 ecfcabfbcibf.exe 32 PID 2848 wrote to memory of 2956 2848 ecfcabfbcibf.exe 32 PID 2848 wrote to memory of 2956 2848 ecfcabfbcibf.exe 32 PID 2848 wrote to memory of 2956 2848 ecfcabfbcibf.exe 32 PID 2848 wrote to memory of 2628 2848 ecfcabfbcibf.exe 34 PID 2848 wrote to memory of 2628 2848 ecfcabfbcibf.exe 34 PID 2848 wrote to memory of 2628 2848 ecfcabfbcibf.exe 34 PID 2848 wrote to memory of 2628 2848 ecfcabfbcibf.exe 34 PID 2848 wrote to memory of 2068 2848 ecfcabfbcibf.exe 36 PID 2848 wrote to memory of 2068 2848 ecfcabfbcibf.exe 36 PID 2848 wrote to memory of 2068 2848 ecfcabfbcibf.exe 36 PID 2848 wrote to memory of 2068 2848 ecfcabfbcibf.exe 36 PID 2848 wrote to memory of 1952 2848 ecfcabfbcibf.exe 38 PID 2848 wrote to memory of 1952 2848 ecfcabfbcibf.exe 38 PID 2848 wrote to memory of 1952 2848 ecfcabfbcibf.exe 38 PID 2848 wrote to memory of 1952 2848 ecfcabfbcibf.exe 38 PID 2848 wrote to memory of 972 2848 ecfcabfbcibf.exe 40 PID 2848 wrote to memory of 972 2848 ecfcabfbcibf.exe 40 PID 2848 wrote to memory of 972 2848 ecfcabfbcibf.exe 40 PID 2848 wrote to memory of 972 2848 ecfcabfbcibf.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\106ce9f941d28e6d18ebea1ba1cedee4.exe"C:\Users\Admin\AppData\Local\Temp\106ce9f941d28e6d18ebea1ba1cedee4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\ecfcabfbcibf.exeC:\Users\Admin\AppData\Local\Temp\ecfcabfbcibf.exe 3]3]4]3]8]2]0]4]0]1]4 LE1FQTUvNC84MBwsUFE/SEdEOTAfK0tCUFRHUEtFRDwtHSxARktSSUA9MSwtNC4dJ0FJQD0vHCxNTkw8U0NQX0hAOi41LywvICtTRE5TQk5cTVBMOWhzcG03KyxrcHYqRERPSCpQTEgrQUxQLUVLQ0sdJ0FMRUNKRUE6HCw8Lz0pMR8rQS85KikeL0AzPCkuHStBLDstLSAuQDI6KS4YLVBOT0NRQFFbTUpHVj1DWDkdLExPR0JVP1ReQVJJPToYLVBOT0NRQFFbSzlLRTlMZGJxIi4tLCMyLERkXWEiLi0rIzIsRnFhYiIuLTxtd2psbl1hIi4tSEElLjBGXWpiHCw9VkVbVVFIOh0rQlBDXz9NQ0hGS0E6GC1IS1NTWz9PS1RLQ1I5MB8rUUU9S0NXT1FfVE5JOhwsTks9LiAuQFAuOR0nUFVKVEhJQlxTQkRBT0lFSEk+REFSSko9HC9IT1xPUUtMR01BPXNucmIcLEpDVFFSTUVLRFtSS0NSW0RAVVA6Lh0nRklARVc5Lh0rRktdRFVOQElGQFtCRkFSVVBTQUE6Yl5kcWUcL0NLVEtITDlCX0VQPC01NiovKTAuLTg0Ki8vLB0nUklJRTwtMS81NiszOC84HytBTFNLRE1BQF9TRUpCOTEnMDUrMi8tMicwNyoxOjE4KT1KHStSOTtNa3poaGleIS9eMi4sKydfbGpsXmxnYmhlJC9fKElQQUMrMi4vITBfJ1RhbGRrd3InS1EnMiYvJS9iKk9TLiEwWikuSkVTJ0BJTigqLDAqNS8zLzQlHSdTUkg9Z3BxbSEwWSMyYiUxYmRicCsoLzItZi1la2NrIipkUnFuU2VqYkBsb2xsa2FjSV5rXWRdcF9gZW9obHYhL14vNC45OCw1NTAyHTBmLTQxNTYtNDUsMyUuZjAwLzY1LTA2NDElMmIzLy40LC4wMDA3NFZUSnZEdzAhMmVfQWh0STtxeUh5UWBMUUV0REJjbUhsVTRJdkZtTERBaWFmUm1FRC11YUNCMFUwP3FUT1RmS3pQbFZENTBZa3hqV1UxdU5pZXJgbXRyWFJ1Q1MvcGRZQ0Z4RmpDMFVPL3NdanJiVkVoclBVMWRXMWRjXi0xLVJHUmljP0pwRlJCaFdpQXFJdmFDXmQvZkdVSWtgLzFwWTBGX0kvbD9IUT9cYFdRaVlpQ2hUL3BkWmlFOFBEQ2lfO0t1R1VJYQ==2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703515898.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703515898.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703515898.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703515898.txt bios get version3⤵PID:2068
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703515898.txt bios get version3⤵PID:1952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 3723⤵
- Loads dropped DLL
- Program crash
PID:972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
764KB
MD556e6f7c16992d8b2f5912ba01bfe93ee
SHA1c2c33e2445618d79aa4920acb862d533c5a153cf
SHA2565a930fb5a147e14030be8ea9e869b61b236ae100559a7825637f6512c0386463
SHA5128dbce6daa39070549110e426f9a5f879a25c2764787931f812ad6501b45e93d8fc9d20e183e10364f29ad73c59cfd01fd9bb8acbd69d23c59b736cd40deececa
-
Filesize
500KB
MD5bee923ef02d2523a5ce9250eb0bd552c
SHA1df50c2e2631bf9a4c6f9137cf573e5da5c872973
SHA2567514b9b4d918dcf1bb5093ccaa9d1a1603e3b1882bdc1d57d9caf896bfa2e437
SHA512be97232784ff0854815aba417349355b943af3593dcdf8f5e426de80411c6ec594b7f913d5abc5c84508f808a530c1c8ee7a302b41f614cb710d11576eba42df
-
Filesize
322KB
MD59ce761cfe0da5b4c76614a8a9be6b861
SHA1f8c30fcc527f6c238673b1691abbc47e468cbc7a
SHA256928b7c401d003518e2f850bbaaa77f6c202fc946e3334a9ef2252220f8a51776
SHA5121721812c9baaf93c186529948d01912832e3e98f525a273fef11edd292fb3fedb1dbdda3cf2fc1b1acfc2a4a6ed33cfa0f075d0c5a861f9fac797414861bf6fc
-
Filesize
506KB
MD5b4e39699c559a92b25b7bbc8310350a0
SHA131d6c3247b2810ba2d1f8ee8c7eff6187b919a6d
SHA2561df32d230be8383c43242711464994e42364f5cf36bcb88094a25b2981f6881a
SHA512406e6b36c30e9e8dd12a738d2819205179295c09654f35cec37a7b9c8ce3a627d8d58e1f1e0f281720b7983203b6b27c96adb0f763b5944e28d01df5c47e0ed0
-
Filesize
351KB
MD5db63684362170af00ec3eabb9a80d24f
SHA1defb7dfc2023ed27788c3ff3eaecb7f6c041ca75
SHA256c7069844a56f9b5330f92daea213241a6cd7948b7e5b585a3a81c5e54ac8a4db
SHA51281f59215bff844136b43616eabffff1ab5daaf9e4dc26ac9e1ff2ff893c8954b6ddce1396858a2a25d02648f8ba6e3623f022ec8c1227f37294d24b98208ebbc
-
Filesize
344KB
MD5c315a2c22182ea59426531267135eb6d
SHA147e734d9f24b40cc6fdad72a7caf1969445adef0
SHA2569d6f4220031911c5bbf9f7f1222cb38a1164181c5a8f8eb5681b68983b3ea50a
SHA512e96fc01dcd513cf5158a097decfcce9d014280e9f3e71466f5092f360c7931d831aa8f73cfa23cb7ce5d34bc5d8d314778b72fd8fd19e0c98947ae1904cdabf0
-
Filesize
426KB
MD5ff3d50fc64c82e9cbc37e96f5539ffd4
SHA135e6510acdf39cafd42673445669e655a256df90
SHA25695eb8f117ad744d4b338c902689f3a625e61a7d5c25ed5ccab8474f37da815b3
SHA5127b4d75932236baf11809b2bb039bb68741f505714d5b6603a1b0d21ad41d8192f40118e8b4fdc3ec7bee64e791640fb6bfcd5df562827427ad14c5215a3c5361
-
Filesize
107KB
MD59080b78b9a4590a6e43e41468a387819
SHA1d79b2cfec3736bf6d58f627aeaad43ad75d9e142
SHA2567c82ae5664963f23bd03b09fbcc5978295f482357f4c0c9f9af09828e7fab67c
SHA5126f6ac05e8bda7936d9eeba49200041fd70a6b26964dc2f598fc1cc6680217b32eedd3652a9015713c182d660ae838b1f410644c56edac642649f6d03d2eb834b
-
Filesize
40KB
MD55f13dbc378792f23e598079fc1e4422b
SHA15813c05802f15930aa860b8363af2b58426c8adf
SHA2566e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA5129270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5