Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 01:08
Static task
static1
Behavioral task
behavioral1
Sample
1f4f390b42a7f516013d7db571b32115.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1f4f390b42a7f516013d7db571b32115.exe
Resource
win10v2004-20231215-en
General
-
Target
1f4f390b42a7f516013d7db571b32115.exe
-
Size
724KB
-
MD5
1f4f390b42a7f516013d7db571b32115
-
SHA1
8dddb9ff68c0d1dbc62a782cae2d64c4eb18091c
-
SHA256
6bd83bf1f9e735a3c7951f8f55f22cf31156063ad56bf80f94238fd02faf4ffc
-
SHA512
d517552bea5b825de25de86d6332a28480078294c62761ea576c3648792dcdc806d984a375c3275e38820bc6ad61a7fdf0e6712fd0c0168af8d2ef9ad42432d0
-
SSDEEP
12288:Fkfc1hZjmvZQy58/fviZ8rJSgmP21uJ0m5FvRx58bCjFVBPnBhTp/KZ:d1zjmvG3i2la15TgwRBvS
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2976 SERVER~1.EXE 2664 Bifrost.exe -
Loads dropped DLL 4 IoCs
pid Process 3004 1f4f390b42a7f516013d7db571b32115.exe 3004 1f4f390b42a7f516013d7db571b32115.exe 3004 1f4f390b42a7f516013d7db571b32115.exe 3004 1f4f390b42a7f516013d7db571b32115.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1f4f390b42a7f516013d7db571b32115.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2976 SERVER~1.EXE 2976 SERVER~1.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2664 Bifrost.exe 2664 Bifrost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2976 3004 1f4f390b42a7f516013d7db571b32115.exe 16 PID 3004 wrote to memory of 2976 3004 1f4f390b42a7f516013d7db571b32115.exe 16 PID 3004 wrote to memory of 2976 3004 1f4f390b42a7f516013d7db571b32115.exe 16 PID 3004 wrote to memory of 2976 3004 1f4f390b42a7f516013d7db571b32115.exe 16 PID 2976 wrote to memory of 1268 2976 SERVER~1.EXE 22 PID 2976 wrote to memory of 1268 2976 SERVER~1.EXE 22 PID 2976 wrote to memory of 1268 2976 SERVER~1.EXE 22 PID 2976 wrote to memory of 1268 2976 SERVER~1.EXE 22 PID 2976 wrote to memory of 1268 2976 SERVER~1.EXE 22 PID 2976 wrote to memory of 1268 2976 SERVER~1.EXE 22 PID 3004 wrote to memory of 2664 3004 1f4f390b42a7f516013d7db571b32115.exe 15 PID 3004 wrote to memory of 2664 3004 1f4f390b42a7f516013d7db571b32115.exe 15 PID 3004 wrote to memory of 2664 3004 1f4f390b42a7f516013d7db571b32115.exe 15 PID 3004 wrote to memory of 2664 3004 1f4f390b42a7f516013d7db571b32115.exe 15
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f4f390b42a7f516013d7db571b32115.exe"C:\Users\Admin\AppData\Local\Temp\1f4f390b42a7f516013d7db571b32115.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bifrost.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bifrost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD515125a0c40de42ea005c6a4b644509b6
SHA15b6bb9bfe1292e0484c5810c4e849ea93b7318fc
SHA256d263207ca0f37e8f84e3ab327b6872b44d7eb7241e42147335ceaac0d1499fa8
SHA51295d4c7ad359fd5ea5dd7d01d73bba5c69bc309d5fc2efbdb7464e1db4412e4e1e6037f5798fdcb245247ffab1b808621aa5098351295cf5fa913e7fcf63cc747