Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/12/2023, 21:22
Static task
static1
Behavioral task
behavioral1
Sample
f8fc64321bc5e2eb39b999154c122b1d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
f8fc64321bc5e2eb39b999154c122b1d.exe
Resource
win10v2004-20231222-en
General
-
Target
f8fc64321bc5e2eb39b999154c122b1d.exe
-
Size
575KB
-
MD5
f8fc64321bc5e2eb39b999154c122b1d
-
SHA1
7ab2d25a66ce875832b1b0f537dbe77efc3a1bd3
-
SHA256
1356a5fd4fc5cf564472f4658a366f59f3a60a8371e97918bd283ed5f5b75af9
-
SHA512
d3b4e322c005d1060ac63556c5942f5eacfaab6cf5353e478e5d5ef9f2b5a8fb95b48b3aadb54ed4608bb6caf7867dfb110b384c39ebee144728b5bc9a874c48
-
SSDEEP
12288:cSSc5f0V5iPd5lAurV6EGEEfSxoapDe3buf+RZjNuqYBE:c0f9HlVrV6EPpmPcM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2744 bbjcabfdccbb.exe -
Loads dropped DLL 10 IoCs
pid Process 2264 f8fc64321bc5e2eb39b999154c122b1d.exe 2264 f8fc64321bc5e2eb39b999154c122b1d.exe 2264 f8fc64321bc5e2eb39b999154c122b1d.exe 2828 WerFault.exe 2828 WerFault.exe 2828 WerFault.exe 2828 WerFault.exe 2828 WerFault.exe 2828 WerFault.exe 2828 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2828 2744 WerFault.exe 31 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2788 wmic.exe Token: SeSecurityPrivilege 2788 wmic.exe Token: SeTakeOwnershipPrivilege 2788 wmic.exe Token: SeLoadDriverPrivilege 2788 wmic.exe Token: SeSystemProfilePrivilege 2788 wmic.exe Token: SeSystemtimePrivilege 2788 wmic.exe Token: SeProfSingleProcessPrivilege 2788 wmic.exe Token: SeIncBasePriorityPrivilege 2788 wmic.exe Token: SeCreatePagefilePrivilege 2788 wmic.exe Token: SeBackupPrivilege 2788 wmic.exe Token: SeRestorePrivilege 2788 wmic.exe Token: SeShutdownPrivilege 2788 wmic.exe Token: SeDebugPrivilege 2788 wmic.exe Token: SeSystemEnvironmentPrivilege 2788 wmic.exe Token: SeRemoteShutdownPrivilege 2788 wmic.exe Token: SeUndockPrivilege 2788 wmic.exe Token: SeManageVolumePrivilege 2788 wmic.exe Token: 33 2788 wmic.exe Token: 34 2788 wmic.exe Token: 35 2788 wmic.exe Token: SeIncreaseQuotaPrivilege 2788 wmic.exe Token: SeSecurityPrivilege 2788 wmic.exe Token: SeTakeOwnershipPrivilege 2788 wmic.exe Token: SeLoadDriverPrivilege 2788 wmic.exe Token: SeSystemProfilePrivilege 2788 wmic.exe Token: SeSystemtimePrivilege 2788 wmic.exe Token: SeProfSingleProcessPrivilege 2788 wmic.exe Token: SeIncBasePriorityPrivilege 2788 wmic.exe Token: SeCreatePagefilePrivilege 2788 wmic.exe Token: SeBackupPrivilege 2788 wmic.exe Token: SeRestorePrivilege 2788 wmic.exe Token: SeShutdownPrivilege 2788 wmic.exe Token: SeDebugPrivilege 2788 wmic.exe Token: SeSystemEnvironmentPrivilege 2788 wmic.exe Token: SeRemoteShutdownPrivilege 2788 wmic.exe Token: SeUndockPrivilege 2788 wmic.exe Token: SeManageVolumePrivilege 2788 wmic.exe Token: 33 2788 wmic.exe Token: 34 2788 wmic.exe Token: 35 2788 wmic.exe Token: SeIncreaseQuotaPrivilege 2624 wmic.exe Token: SeSecurityPrivilege 2624 wmic.exe Token: SeTakeOwnershipPrivilege 2624 wmic.exe Token: SeLoadDriverPrivilege 2624 wmic.exe Token: SeSystemProfilePrivilege 2624 wmic.exe Token: SeSystemtimePrivilege 2624 wmic.exe Token: SeProfSingleProcessPrivilege 2624 wmic.exe Token: SeIncBasePriorityPrivilege 2624 wmic.exe Token: SeCreatePagefilePrivilege 2624 wmic.exe Token: SeBackupPrivilege 2624 wmic.exe Token: SeRestorePrivilege 2624 wmic.exe Token: SeShutdownPrivilege 2624 wmic.exe Token: SeDebugPrivilege 2624 wmic.exe Token: SeSystemEnvironmentPrivilege 2624 wmic.exe Token: SeRemoteShutdownPrivilege 2624 wmic.exe Token: SeUndockPrivilege 2624 wmic.exe Token: SeManageVolumePrivilege 2624 wmic.exe Token: 33 2624 wmic.exe Token: 34 2624 wmic.exe Token: 35 2624 wmic.exe Token: SeIncreaseQuotaPrivilege 2708 wmic.exe Token: SeSecurityPrivilege 2708 wmic.exe Token: SeTakeOwnershipPrivilege 2708 wmic.exe Token: SeLoadDriverPrivilege 2708 wmic.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2744 2264 f8fc64321bc5e2eb39b999154c122b1d.exe 31 PID 2264 wrote to memory of 2744 2264 f8fc64321bc5e2eb39b999154c122b1d.exe 31 PID 2264 wrote to memory of 2744 2264 f8fc64321bc5e2eb39b999154c122b1d.exe 31 PID 2264 wrote to memory of 2744 2264 f8fc64321bc5e2eb39b999154c122b1d.exe 31 PID 2264 wrote to memory of 2744 2264 f8fc64321bc5e2eb39b999154c122b1d.exe 31 PID 2264 wrote to memory of 2744 2264 f8fc64321bc5e2eb39b999154c122b1d.exe 31 PID 2264 wrote to memory of 2744 2264 f8fc64321bc5e2eb39b999154c122b1d.exe 31 PID 2744 wrote to memory of 2788 2744 bbjcabfdccbb.exe 21 PID 2744 wrote to memory of 2788 2744 bbjcabfdccbb.exe 21 PID 2744 wrote to memory of 2788 2744 bbjcabfdccbb.exe 21 PID 2744 wrote to memory of 2788 2744 bbjcabfdccbb.exe 21 PID 2744 wrote to memory of 2624 2744 bbjcabfdccbb.exe 24 PID 2744 wrote to memory of 2624 2744 bbjcabfdccbb.exe 24 PID 2744 wrote to memory of 2624 2744 bbjcabfdccbb.exe 24 PID 2744 wrote to memory of 2624 2744 bbjcabfdccbb.exe 24 PID 2744 wrote to memory of 2708 2744 bbjcabfdccbb.exe 30 PID 2744 wrote to memory of 2708 2744 bbjcabfdccbb.exe 30 PID 2744 wrote to memory of 2708 2744 bbjcabfdccbb.exe 30 PID 2744 wrote to memory of 2708 2744 bbjcabfdccbb.exe 30 PID 2744 wrote to memory of 2552 2744 bbjcabfdccbb.exe 28 PID 2744 wrote to memory of 2552 2744 bbjcabfdccbb.exe 28 PID 2744 wrote to memory of 2552 2744 bbjcabfdccbb.exe 28 PID 2744 wrote to memory of 2552 2744 bbjcabfdccbb.exe 28 PID 2744 wrote to memory of 2992 2744 bbjcabfdccbb.exe 26 PID 2744 wrote to memory of 2992 2744 bbjcabfdccbb.exe 26 PID 2744 wrote to memory of 2992 2744 bbjcabfdccbb.exe 26 PID 2744 wrote to memory of 2992 2744 bbjcabfdccbb.exe 26 PID 2744 wrote to memory of 2828 2744 bbjcabfdccbb.exe 40 PID 2744 wrote to memory of 2828 2744 bbjcabfdccbb.exe 40 PID 2744 wrote to memory of 2828 2744 bbjcabfdccbb.exe 40 PID 2744 wrote to memory of 2828 2744 bbjcabfdccbb.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8fc64321bc5e2eb39b999154c122b1d.exe"C:\Users\Admin\AppData\Local\Temp\f8fc64321bc5e2eb39b999154c122b1d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exeC:\Users\Admin\AppData\Local\Temp\bbjcabfdccbb.exe 7-7-3-9-0-6-0-4-1-9-0 KElGOz0rMywwKiAoTFI5UENEOS8XL0c+UU5PTEtFQzQwGShBQFNOSUA8KTQwLTYXLz1JQDwnIChJT0ZET0NQXkBENisxJzQuICtSPFJPPk9WVUxMOWdrdGkzLCZzX3JyLWtoXiZeZ3AnZF1zWC5iZ2NmIClDSEg6S0I9OjBhXzYzMVs4Jis2LmUnNDFiKS1aWjFbLS0zMTBcNi8yNSg3MSArQyg9KhksOzI3LS0fJkQsNiooIClEMDwkMRkoQSw9JzEcLkdSSD1SOlRZUE5ITUE8UjoXL0pSS0NMQ01YQkxMOz0cLkdSSD1SOlRZTj1MPD0ZKEJPRVlVTks0ICg+VTxfPU1AS0BOPjYdJkhJU1BeOVJIUFA8UjcyHC5LSDpHSFBPT19RUUM9GShTRD0sICtDSjE2ZmUkY2ptKXRhcCoZLElVSFRFTDxfUD5JOk9HRUVMOEc+Tk9DPRovRVJWUk5HUUBNPz1wcWxlGShPPFRPUkpIRUdYTlA8UllEPVhKPSsZLD9JPkVUPCggKEJQVkRTTj1MQENYPks6UlNQUEQ7PV9aaWplGi9ATk5ORUg+O19DUDk1Ky4qLC4lNiouLjQXL01CSjw9KzQuMC0zLCk2KCApREtWRUxIOkFWVENNQTwoLyoyLCkwKzUmMTEwLTMyKCo7TQ==2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 3683⤵
- Loads dropped DLL
- Program crash
PID:2828
-
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704832850.txt bios get serialnumber1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704832850.txt bios get version1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704832850.txt bios get version1⤵PID:2992
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704832850.txt bios get version1⤵PID:2552
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704832850.txt bios get version1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
381KB
MD514a0444285985b05543918309d1d781c
SHA12835a3f5ea5ecf754d9b889ab8e84fa095a7447f
SHA2564491aa3b6ca90206665c8f0e082289053e74fb43a783752e7f3f3e6869074785
SHA51293657311e1aca496858b6b4df8f717a9e669aa910d37ff67df1f648366b6e295a7cdd7d7c234d9701ff9477840f7864d8c55c5279d6e35ac663075c63459e19e
-
Filesize
111KB
MD5f77cdda6c86781185bbd665b1d1fe54e
SHA1128346254df7243521e8ff5ad8933fba998b49b8
SHA2562e561b51631b85b1520e13877b46f24a5960099484857fbc7e897e389a2d319e
SHA512aca6dbda68308551e3bc7469828df78e62c0a58db3b8f011aca1e0bb049316e6eec70837ed30437f9d8cc84def4f537b7538e0c4c93385bd0d762770ceb53262
-
Filesize
538KB
MD587d39a05e92422873a9aaf35d29b91f3
SHA18a93359f01a394a88674049d2d9b230dcc35d21d
SHA2564202a6af0483a468970181c0fcd1e006cf3dd5e2b9fb2ce3165a5ca6c848cabc
SHA51298a34ebbc2bbd28acc60898cc77e8e03f73d81d6a45f55f9b418200234e0ef0a45b738c863fc6e0f1f9ab59654d60884315d74b1ea9624c512c6e462c2537410
-
Filesize
106KB
MD5dfa53215a9216495e44157115d59323c
SHA146ddb55ac2a7222f902136dbba29c38803979ade
SHA256fae45e841b09e0e48c8b2a1e10c6c9210fc50eeb1049f5def29f8c84ae3534c8
SHA51201dbc44023a5b662c2b05cb75f65275c37e5e0459191b3c2f3280914b47b3ef6f05973ad6b4b515ce20edde1294c44c03ed27cba624b62531ca56f7681efac61
-
Filesize
114KB
MD56f855a4c074c19e8a0fb598b16322e2c
SHA1e6637d5114101a806ac30be60d3d7b1cd3569fd9
SHA2569056307ef936a3903bf78228bb18e0149b08452f39dd763e757aed7446908a84
SHA512442deac33f65af4e313041d88083c75c58498c5b82b1a84be5000db14b999a98de636b8f2b7beb9dcf90ce67bcf0a276e7d92d379cb1418bcc46eb3e15bb174e
-
Filesize
323KB
MD5c0e945be46d01da1456c039306471632
SHA1a0422ac0c42ab2e04177e26383c93d69ecd29a94
SHA256689d941b25fbb09a6fd740af0e31d5d66ebfae5d124155e0d372e7078ec00726
SHA512d69593b101870245dfe810750dab5c1a86d2f989a02a873755c5b60c203ecefea8b8dc8d1a45cf5a0bdf4842cad4e4ded4ebfbea2d6ec1e06bb0ff8243cf62cf
-
Filesize
137KB
MD568b3c781e8fe5656f67039f9d2cc00d1
SHA14aa588b3650e416e8668675b2d5bfd7c45c9ecaf
SHA2567b5ef69abd8c79be1fff9a121f846ea6d2f537c3a5e50c04024c737c5196f9aa
SHA512341e729b7f73a383fa6200322a995a4d4ea7c9495f871fffbab9180f495ab44a74898c9db14b912cad37db4738e87b57cfd6412eb8af7fb19e991318a478cf78
-
Filesize
205KB
MD52ba1f392a5e40923adbddbec812e8c1c
SHA18019c82310c09ade0a5c8646fccf7aef88281219
SHA2567aa53cee35ff41b8d51a3102522f2063bb371a6e62d9c970f2d862efb0659b4a
SHA512ac79702e743d6b89aa4ed1baa7ecf4eb98e1b53bbffa873c93aeb13e6f2846c7613faae5dded3f5b8a4914d25c403250a26da5904938a9a805fb7a551c6dc4af
-
Filesize
126KB
MD5882e143e27e8cc053cf1f99d0dfa6f0c
SHA1d9e95c957f67ce5aa8fda39700281d5c96339dd4
SHA2569beab2f71d2ed07ffa23c2f76264d3ec6611a65e802c29ecddbd069021b26c1e
SHA5121ca479f9cbbfbb5d4796abc836c8b0f767b95fec6ed9e20182cce1ef166b42f281ef0b98e91b1fdedb222d5af2eeaddc1e6877686ae7a1e20370a819d92759eb
-
Filesize
94KB
MD5279d1e6dd775c5bfc6753697d4e80ef1
SHA18a887ab2143174b7a51a15020f110f81777d2a82
SHA2567b96694ad9f40c3741993400afb76edf7e1aa0692ce6bc26236d852c594f3dbc
SHA512b6354464bc424131b335f88147350a6ba4e6e3c0be4537e243eb8a9ae8801640e7f50dc02d8fd1952b598ed5a628c038e5fc2f8794809152fee55eca6cd711d9
-
Filesize
27KB
MD50bdd1fe9b5e5f8c390b3d9d582edeb61
SHA17ed2ba7eb026f4c6f18bb13984b3b7ddd6005c01
SHA25615142e526974c6483ba9f38eaff6515157e60c56d0a039958053441000893488
SHA512030d21cba9a594f9cac8a25f62ad519a43af00a8450ba934dada4eb27a35983ad9c96d58469e8afc2c6c360bfd714b982e8295eaa3add353aa59533fd9969ea7