Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 01:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f4f390b42a7f516013d7db571b32115.exe
Resource
win7-20231129-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
1f4f390b42a7f516013d7db571b32115.exe
Resource
win10v2004-20231215-en
5 signatures
150 seconds
General
-
Target
1f4f390b42a7f516013d7db571b32115.exe
-
Size
724KB
-
MD5
1f4f390b42a7f516013d7db571b32115
-
SHA1
8dddb9ff68c0d1dbc62a782cae2d64c4eb18091c
-
SHA256
6bd83bf1f9e735a3c7951f8f55f22cf31156063ad56bf80f94238fd02faf4ffc
-
SHA512
d517552bea5b825de25de86d6332a28480078294c62761ea576c3648792dcdc806d984a375c3275e38820bc6ad61a7fdf0e6712fd0c0168af8d2ef9ad42432d0
-
SSDEEP
12288:Fkfc1hZjmvZQy58/fviZ8rJSgmP21uJ0m5FvRx58bCjFVBPnBhTp/KZ:d1zjmvG3i2la15TgwRBvS
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1572 SERVER~1.EXE 2264 Bifrost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1f4f390b42a7f516013d7db571b32115.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1572 SERVER~1.EXE 1572 SERVER~1.EXE 1572 SERVER~1.EXE 1572 SERVER~1.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2264 Bifrost.exe 2264 Bifrost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 516 wrote to memory of 1572 516 1f4f390b42a7f516013d7db571b32115.exe 23 PID 516 wrote to memory of 1572 516 1f4f390b42a7f516013d7db571b32115.exe 23 PID 516 wrote to memory of 1572 516 1f4f390b42a7f516013d7db571b32115.exe 23 PID 1572 wrote to memory of 3492 1572 SERVER~1.EXE 49 PID 1572 wrote to memory of 3492 1572 SERVER~1.EXE 49 PID 1572 wrote to memory of 3492 1572 SERVER~1.EXE 49 PID 1572 wrote to memory of 3492 1572 SERVER~1.EXE 49 PID 1572 wrote to memory of 3492 1572 SERVER~1.EXE 49 PID 1572 wrote to memory of 3492 1572 SERVER~1.EXE 49 PID 516 wrote to memory of 2264 516 1f4f390b42a7f516013d7db571b32115.exe 22 PID 516 wrote to memory of 2264 516 1f4f390b42a7f516013d7db571b32115.exe 22 PID 516 wrote to memory of 2264 516 1f4f390b42a7f516013d7db571b32115.exe 22
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f4f390b42a7f516013d7db571b32115.exe"C:\Users\Admin\AppData\Local\Temp\1f4f390b42a7f516013d7db571b32115.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bifrost.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bifrost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2264
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3492