Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
793ecb02ec84ea4c5e06d998195ab019.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
793ecb02ec84ea4c5e06d998195ab019.exe
Resource
win10v2004-20231215-en
General
-
Target
793ecb02ec84ea4c5e06d998195ab019.exe
-
Size
644KB
-
MD5
793ecb02ec84ea4c5e06d998195ab019
-
SHA1
3e9cf0e8cad88ff2247ecd11ab48e92315107d8f
-
SHA256
226dc9147d7395a18d7cde61fb8798ba07a25a85828b68fad6103c5581ecbd4f
-
SHA512
6eac6ca3ed392c7cb572317cbdab2190eaaefa8f0d8713687741209ad792c459383606eebf166fc84497ec75e9fa19d2e788030aac3a9263c2b8cd3a032e0859
-
SSDEEP
12288:DgxIj457sC8XbgfF75YwLFGdf0AFrgbZEKrOfc8vy4hB:Dg+j4d+QNYv1XrgFEKrr866
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3056 bedejjgbca.exe -
Loads dropped DLL 11 IoCs
pid Process 2780 793ecb02ec84ea4c5e06d998195ab019.exe 2780 793ecb02ec84ea4c5e06d998195ab019.exe 2780 793ecb02ec84ea4c5e06d998195ab019.exe 2780 793ecb02ec84ea4c5e06d998195ab019.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process 2740 3056 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1704 wmic.exe Token: SeSecurityPrivilege 1704 wmic.exe Token: SeTakeOwnershipPrivilege 1704 wmic.exe Token: SeLoadDriverPrivilege 1704 wmic.exe Token: SeSystemProfilePrivilege 1704 wmic.exe Token: SeSystemtimePrivilege 1704 wmic.exe Token: SeProfSingleProcessPrivilege 1704 wmic.exe Token: SeIncBasePriorityPrivilege 1704 wmic.exe Token: SeCreatePagefilePrivilege 1704 wmic.exe Token: SeBackupPrivilege 1704 wmic.exe Token: SeRestorePrivilege 1704 wmic.exe Token: SeShutdownPrivilege 1704 wmic.exe Token: SeDebugPrivilege 1704 wmic.exe Token: SeSystemEnvironmentPrivilege 1704 wmic.exe Token: SeRemoteShutdownPrivilege 1704 wmic.exe Token: SeUndockPrivilege 1704 wmic.exe Token: SeManageVolumePrivilege 1704 wmic.exe Token: 33 1704 wmic.exe Token: 34 1704 wmic.exe Token: 35 1704 wmic.exe Token: SeIncreaseQuotaPrivilege 1704 wmic.exe Token: SeSecurityPrivilege 1704 wmic.exe Token: SeTakeOwnershipPrivilege 1704 wmic.exe Token: SeLoadDriverPrivilege 1704 wmic.exe Token: SeSystemProfilePrivilege 1704 wmic.exe Token: SeSystemtimePrivilege 1704 wmic.exe Token: SeProfSingleProcessPrivilege 1704 wmic.exe Token: SeIncBasePriorityPrivilege 1704 wmic.exe Token: SeCreatePagefilePrivilege 1704 wmic.exe Token: SeBackupPrivilege 1704 wmic.exe Token: SeRestorePrivilege 1704 wmic.exe Token: SeShutdownPrivilege 1704 wmic.exe Token: SeDebugPrivilege 1704 wmic.exe Token: SeSystemEnvironmentPrivilege 1704 wmic.exe Token: SeRemoteShutdownPrivilege 1704 wmic.exe Token: SeUndockPrivilege 1704 wmic.exe Token: SeManageVolumePrivilege 1704 wmic.exe Token: 33 1704 wmic.exe Token: 34 1704 wmic.exe Token: 35 1704 wmic.exe Token: SeIncreaseQuotaPrivilege 2452 wmic.exe Token: SeSecurityPrivilege 2452 wmic.exe Token: SeTakeOwnershipPrivilege 2452 wmic.exe Token: SeLoadDriverPrivilege 2452 wmic.exe Token: SeSystemProfilePrivilege 2452 wmic.exe Token: SeSystemtimePrivilege 2452 wmic.exe Token: SeProfSingleProcessPrivilege 2452 wmic.exe Token: SeIncBasePriorityPrivilege 2452 wmic.exe Token: SeCreatePagefilePrivilege 2452 wmic.exe Token: SeBackupPrivilege 2452 wmic.exe Token: SeRestorePrivilege 2452 wmic.exe Token: SeShutdownPrivilege 2452 wmic.exe Token: SeDebugPrivilege 2452 wmic.exe Token: SeSystemEnvironmentPrivilege 2452 wmic.exe Token: SeRemoteShutdownPrivilege 2452 wmic.exe Token: SeUndockPrivilege 2452 wmic.exe Token: SeManageVolumePrivilege 2452 wmic.exe Token: 33 2452 wmic.exe Token: 34 2452 wmic.exe Token: 35 2452 wmic.exe Token: SeIncreaseQuotaPrivilege 2784 wmic.exe Token: SeSecurityPrivilege 2784 wmic.exe Token: SeTakeOwnershipPrivilege 2784 wmic.exe Token: SeLoadDriverPrivilege 2784 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2780 wrote to memory of 3056 2780 793ecb02ec84ea4c5e06d998195ab019.exe 30 PID 2780 wrote to memory of 3056 2780 793ecb02ec84ea4c5e06d998195ab019.exe 30 PID 2780 wrote to memory of 3056 2780 793ecb02ec84ea4c5e06d998195ab019.exe 30 PID 2780 wrote to memory of 3056 2780 793ecb02ec84ea4c5e06d998195ab019.exe 30 PID 3056 wrote to memory of 1704 3056 bedejjgbca.exe 19 PID 3056 wrote to memory of 1704 3056 bedejjgbca.exe 19 PID 3056 wrote to memory of 1704 3056 bedejjgbca.exe 19 PID 3056 wrote to memory of 1704 3056 bedejjgbca.exe 19 PID 3056 wrote to memory of 2452 3056 bedejjgbca.exe 29 PID 3056 wrote to memory of 2452 3056 bedejjgbca.exe 29 PID 3056 wrote to memory of 2452 3056 bedejjgbca.exe 29 PID 3056 wrote to memory of 2452 3056 bedejjgbca.exe 29 PID 3056 wrote to memory of 2784 3056 bedejjgbca.exe 27 PID 3056 wrote to memory of 2784 3056 bedejjgbca.exe 27 PID 3056 wrote to memory of 2784 3056 bedejjgbca.exe 27 PID 3056 wrote to memory of 2784 3056 bedejjgbca.exe 27 PID 3056 wrote to memory of 2660 3056 bedejjgbca.exe 26 PID 3056 wrote to memory of 2660 3056 bedejjgbca.exe 26 PID 3056 wrote to memory of 2660 3056 bedejjgbca.exe 26 PID 3056 wrote to memory of 2660 3056 bedejjgbca.exe 26 PID 3056 wrote to memory of 2440 3056 bedejjgbca.exe 23 PID 3056 wrote to memory of 2440 3056 bedejjgbca.exe 23 PID 3056 wrote to memory of 2440 3056 bedejjgbca.exe 23 PID 3056 wrote to memory of 2440 3056 bedejjgbca.exe 23 PID 3056 wrote to memory of 2740 3056 bedejjgbca.exe 25 PID 3056 wrote to memory of 2740 3056 bedejjgbca.exe 25 PID 3056 wrote to memory of 2740 3056 bedejjgbca.exe 25 PID 3056 wrote to memory of 2740 3056 bedejjgbca.exe 25
Processes
-
C:\Users\Admin\AppData\Local\Temp\793ecb02ec84ea4c5e06d998195ab019.exe"C:\Users\Admin\AppData\Local\Temp\793ecb02ec84ea4c5e06d998195ab019.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\bedejjgbca.exeC:\Users\Admin\AppData\Local\Temp\bedejjgbca.exe 9|8|7|4|8|0|2|3|6|5|4 JkhCQDUxNzAwLhwmS04+SElCOiobK0U9TVNHUklGPjgtHCopbGpvYnJdb2pYZV45SmVnaltiYRcnPUVLVEdBNy0zLikrHCdDR0E3KxwmSEtLPFVBUVlEQDQqLzUsMx4sTUBOTT1LW01SSjpib3BnMigra3J0Kz5AT0IlTUtILT9NSilFRT5IHCdDSkY9RkU7NRkrPDE7KisbKzsqNikpIC1BLTgpKBgoQCw9Ky4aKkAsNSYtGC9OT0k/UTpMWExKSVQ+PVQ5FydJTkdEU0BOWkFMRDo5GC9OT0k/UTpMWEo5TUM6GipBTz1YUUpMOx0pQFQ8VzxJPExHSz84HCZASE9MX0BPSVJPPEo2MRgvUkU7SUdQR05bTVJKOhoqUkQ1KxwnRFEuNxsrSU1HUEFNQ1xRQEg6R0ZBQU0/RD9QTkM1GStBU11PT0lQQEU+OWxyc2IaKk48TE5ORklMRFlQTzxKWEA5WVE6LBsrP0E9QVA9Lx0pRE9WPFJKOU1HQFlASjpKUkxMRUI6YFxoal0ZKzxPVUtGSj07V0JMNTEuNSgyMSUrJzAoIC1RQ0hBNCktLy0wLjErMDMXJz1LT05KTDs/W0tBRkE1Ni0vLCouJykuJjA6LzI0MDMhSEY=2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703733843.txt bios get serialnumber1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703733843.txt bios get version1⤵PID:2440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 3681⤵
- Loads dropped DLL
- Program crash
PID:2740
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703733843.txt bios get version1⤵PID:2660
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703733843.txt bios get version1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703733843.txt bios get version1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
169KB
MD5a03110895e022604b5f687675fe0bb11
SHA1eb463085dbdb50a00a1a36d5eff0e4cd1972910b
SHA2567cc6d4ede53e6e997ff26aaa0c4b3ab9443a4257dfc1c614f242de9910285811
SHA5124f6219e4227e4766be2a999b7db283a572ac569e2ffde142feffa40fa70c7409f607049d3ea1ff9076fa909f86020dadfc725fc56bad53de248415eb8d8cca1d
-
Filesize
773KB
MD5283fce5383ca07f550450165526317e9
SHA1d54638c64ffb4f845cda6da1029b07406faf39eb
SHA2563ce78665becb127f5d9538e7e141baee801d286a97df66a8cb98ee01af441117
SHA5129bfe5a4056c36e2f79c2a24247e7af204cc0ef1f4696a502eb2abb05877a89483616860bf4303f8133607f91ccfacee0cfdfa058ae7f5c18ff0616b0e8cd4396
-
Filesize
381KB
MD550fbd0fa32c7b327fbcb0b85cd23dbc3
SHA1ce718bd9b944669e56c141a04920404618513d84
SHA256cc6d36a0da60becb04190561ee62627fd4c896ba2e36c4d13946164c45fbfbed
SHA5122adcc988aeb01e146322d188293a3941c3804ccbf6770551f15f0796e21a2484c465d27725aefb72f1f6fa43e4bd12735b5ff3e50ec01080fd96b4c1cd726d75
-
Filesize
92KB
MD5e8799f0bd94d2abcda37180f0083322d
SHA1203fe7d9f98948ecc1dc54f3ae1a581f11304f64
SHA256757156ac580989292a41ed24adede8b5502f00eae9c59b352aa102d6d7ff3693
SHA512523f3fdde7bb1134d0db5b453016dba59428c7f83eef183ca889df6bfb8d03f96ca6c9721c303a494a44798942efc1542aec06157b8f7faa81fa30826cbb0b50
-
Filesize
93KB
MD56fe752e22ab04bf2171f160eeaa273f9
SHA19c6878ba59cdfd631823c614a76f9ff575fd784d
SHA2564dfd3458cc1b83ca7d6462b9992818240b2563a66e0cd3170d91eadc4a32a5de
SHA51291be6cd844061f267052f156948fa947670713521186817a7411414c82cdc5f19e6daa90f7e590796dda8d2c0281094ae15eeecbe43dabe4f772c7cbeed4df58