Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 10:03
Static task
static1
Behavioral task
behavioral1
Sample
15dd205f125a17ddc29c65e81a2f667d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
15dd205f125a17ddc29c65e81a2f667d.exe
Resource
win10v2004-20231215-en
General
-
Target
15dd205f125a17ddc29c65e81a2f667d.exe
-
Size
225KB
-
MD5
15dd205f125a17ddc29c65e81a2f667d
-
SHA1
12476f8703f989e62018c371373e5c4039767bfd
-
SHA256
e329839e331470138383753f30fb6bae48e7688d45c3db583fdf80a68dbc92b7
-
SHA512
c0890989c7ff4c40f0320e22599317e513f3a0e0285df601a61de1778cf6652d7ebe80eb1c976a28f8bf3e66da08c2183531c97c6267ca02217b40d29d825394
-
SSDEEP
6144:d8KneNc5QyMXkm9tRSJZb5OhX6CrdfONr:qX7vH1SLbUd6cM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2716 Vfabaa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\3XQZ6EO4AP = "C:\\Windows\\Vfabaa.exe" Vfabaa.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job 15dd205f125a17ddc29c65e81a2f667d.exe File created C:\Windows\Vfabaa.exe 15dd205f125a17ddc29c65e81a2f667d.exe File opened for modification C:\Windows\Vfabaa.exe 15dd205f125a17ddc29c65e81a2f667d.exe File created C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job 15dd205f125a17ddc29c65e81a2f667d.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 15dd205f125a17ddc29c65e81a2f667d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Vfabaa.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main Vfabaa.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\International Vfabaa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe 2716 Vfabaa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2716 2656 15dd205f125a17ddc29c65e81a2f667d.exe 28 PID 2656 wrote to memory of 2716 2656 15dd205f125a17ddc29c65e81a2f667d.exe 28 PID 2656 wrote to memory of 2716 2656 15dd205f125a17ddc29c65e81a2f667d.exe 28 PID 2656 wrote to memory of 2716 2656 15dd205f125a17ddc29c65e81a2f667d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\15dd205f125a17ddc29c65e81a2f667d.exe"C:\Users\Admin\AppData\Local\Temp\15dd205f125a17ddc29c65e81a2f667d.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\Vfabaa.exeC:\Windows\Vfabaa.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD556c54ee5a6a8bbdb653668a80a238db2
SHA1399b1858e48697ac1e67b07dac3fb0168c760ae7
SHA256d9c856d1297f2f2b26275d2c67b7f6dd66ba56b4905b582f459b1275fd24e8bd
SHA5127c8470b3c8cfd43e4b8ac80012d96af39c1a71298d1ac842aa00cb58b90bc8610a0d875422e5c3353f4501ec4e67cebd2001710ce475d4a9fbeb9ff89c2c91d0
-
Filesize
225KB
MD515dd205f125a17ddc29c65e81a2f667d
SHA112476f8703f989e62018c371373e5c4039767bfd
SHA256e329839e331470138383753f30fb6bae48e7688d45c3db583fdf80a68dbc92b7
SHA512c0890989c7ff4c40f0320e22599317e513f3a0e0285df601a61de1778cf6652d7ebe80eb1c976a28f8bf3e66da08c2183531c97c6267ca02217b40d29d825394