Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 06:34
Static task
static1
Behavioral task
behavioral1
Sample
59e4d7381bc4f6fb0ecab5dae0ea4524.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
59e4d7381bc4f6fb0ecab5dae0ea4524.exe
Resource
win10v2004-20231215-en
General
-
Target
59e4d7381bc4f6fb0ecab5dae0ea4524.exe
-
Size
78KB
-
MD5
59e4d7381bc4f6fb0ecab5dae0ea4524
-
SHA1
ff2069e6e43edbbcfdb1d3af7dea764b7cddacec
-
SHA256
3ac8676a1a323bf1b9346c002e4cc9e67b976d16607ff85b95ef1ae7e0774830
-
SHA512
f1479b03154d3bfbfefd8bdafc9901b358899e1ae53d4d9c31057ad154c39078fad54fecc6348c64a697e20f9163a3eeb5003ee2945d06bbff47d8b752e270c6
-
SSDEEP
1536:buHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQteR9/+R1rI:buHYn3xSyRxvY3md+dWWZyeR9/+Y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2744 tmpCFC.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2988 59e4d7381bc4f6fb0ecab5dae0ea4524.exe 2988 59e4d7381bc4f6fb0ecab5dae0ea4524.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpCFC.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2988 59e4d7381bc4f6fb0ecab5dae0ea4524.exe Token: SeDebugPrivilege 2744 tmpCFC.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2988 wrote to memory of 616 2988 59e4d7381bc4f6fb0ecab5dae0ea4524.exe 31 PID 2988 wrote to memory of 616 2988 59e4d7381bc4f6fb0ecab5dae0ea4524.exe 31 PID 2988 wrote to memory of 616 2988 59e4d7381bc4f6fb0ecab5dae0ea4524.exe 31 PID 2988 wrote to memory of 616 2988 59e4d7381bc4f6fb0ecab5dae0ea4524.exe 31 PID 616 wrote to memory of 2236 616 vbc.exe 29 PID 616 wrote to memory of 2236 616 vbc.exe 29 PID 616 wrote to memory of 2236 616 vbc.exe 29 PID 616 wrote to memory of 2236 616 vbc.exe 29 PID 2988 wrote to memory of 2744 2988 59e4d7381bc4f6fb0ecab5dae0ea4524.exe 28 PID 2988 wrote to memory of 2744 2988 59e4d7381bc4f6fb0ecab5dae0ea4524.exe 28 PID 2988 wrote to memory of 2744 2988 59e4d7381bc4f6fb0ecab5dae0ea4524.exe 28 PID 2988 wrote to memory of 2744 2988 59e4d7381bc4f6fb0ecab5dae0ea4524.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\59e4d7381bc4f6fb0ecab5dae0ea4524.exe"C:\Users\Admin\AppData\Local\Temp\59e4d7381bc4f6fb0ecab5dae0ea4524.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\tmpCFC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCFC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\59e4d7381bc4f6fb0ecab5dae0ea4524.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8a9fiqqa.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:616
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD79.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD78.tmp"1⤵PID:2236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD523bb940f688ed26c9c80783f5f2f9022
SHA1ae9ffd6995131db458428d1cf7fc34117953a22b
SHA2564ee64a38dc74feb54be2bdcb2a17de1ec6e8e5207051654352ab920562ec0101
SHA512c08ed8abf789715c6c049ab1805c81e215b0635d922ba1fc9c79ac6f2da2e4f879b2cff0448affbe0cffd7f0d9e42b98f7514701e7ede221569190b7ff46a15e
-
Filesize
265B
MD58016e53a39a442f055a89b32be9b5760
SHA10839ef3d80f49183c0f3d69a8beea0f25677658d
SHA2564e3d32db3cd4b3a7d235badaf8ace564877d21002e7fec6582fbb673bc8bfc39
SHA512fe72faa2076465fe4c2811bdef00f2ba917cc0ccd8b9b58bf048c6f7ba2dc154ffa9e60640751ba020a0e39fa09451ec0016b17b8cf2270de5e4762794223f81
-
Filesize
78KB
MD58e5c1473f41d84e6491e7e5289809c7a
SHA1c98f8952185f41c505d57e55c1560d94ab2ac976
SHA2565fd911556b137792c054739ee9623a61723f44959b4e34eabc580ccb504561ca
SHA512a00caa1975792ed92cd75c3146a81188adb30265b3dac7420f90a7cf154e9ff08e1ade87b539fd8f5007e0fd41a5d486e22953da6beb570ce80ab2c1f7098794
-
Filesize
660B
MD528bb4a84cb195a68f3d6f0d84648251a
SHA17a188c28b632d14d1aa6305e5c801b6cd46b8074
SHA25634dcb87fb3c7b352d2bb2d88edc1b6183586e239b8962f64930f8f0c97a32654
SHA512d5751712beec3ed446dfd48e1f1171acc374723f11d25c5f0e0252345a345b0122f0aff8f069df3b677b6dabe47101a08efd15413d090aad9fab7802407aad68
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107