Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 23:20
Static task
static1
Behavioral task
behavioral1
Sample
06bd1c63573a48a71310b959641d23bb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
06bd1c63573a48a71310b959641d23bb.exe
Resource
win10v2004-20231215-en
General
-
Target
06bd1c63573a48a71310b959641d23bb.exe
-
Size
685KB
-
MD5
06bd1c63573a48a71310b959641d23bb
-
SHA1
fe02b7367cac1bfaee3d59fb0628219d007194a3
-
SHA256
8b00bbecc52caff3797ac005162bb62d94777c93fd09a6c3dee621754c2cfa1e
-
SHA512
8eed1a1fd94962fde1fcd3c3a0e8bc97ca9bd08f07f488d3eb0bdfe36405f1289d766aba77386b4fe61c004002df7339f9ca7aa50d6476bb6de135872e25ca3f
-
SSDEEP
12288:HT/Hi+J0ggApehPUVZ1Dh5Lqu7p9I+C2fw8K6B76G4KNfc8vy4hJ/:HrC+JNgINGCs248Kg4d86K/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2780 bedfiibheb.exe -
Loads dropped DLL 11 IoCs
pid Process 2520 06bd1c63573a48a71310b959641d23bb.exe 2520 06bd1c63573a48a71310b959641d23bb.exe 2520 06bd1c63573a48a71310b959641d23bb.exe 2520 06bd1c63573a48a71310b959641d23bb.exe 1240 WerFault.exe 1240 WerFault.exe 1240 WerFault.exe 1240 WerFault.exe 1240 WerFault.exe 1240 WerFault.exe 1240 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1240 2780 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2920 wmic.exe Token: SeSecurityPrivilege 2920 wmic.exe Token: SeTakeOwnershipPrivilege 2920 wmic.exe Token: SeLoadDriverPrivilege 2920 wmic.exe Token: SeSystemProfilePrivilege 2920 wmic.exe Token: SeSystemtimePrivilege 2920 wmic.exe Token: SeProfSingleProcessPrivilege 2920 wmic.exe Token: SeIncBasePriorityPrivilege 2920 wmic.exe Token: SeCreatePagefilePrivilege 2920 wmic.exe Token: SeBackupPrivilege 2920 wmic.exe Token: SeRestorePrivilege 2920 wmic.exe Token: SeShutdownPrivilege 2920 wmic.exe Token: SeDebugPrivilege 2920 wmic.exe Token: SeSystemEnvironmentPrivilege 2920 wmic.exe Token: SeRemoteShutdownPrivilege 2920 wmic.exe Token: SeUndockPrivilege 2920 wmic.exe Token: SeManageVolumePrivilege 2920 wmic.exe Token: 33 2920 wmic.exe Token: 34 2920 wmic.exe Token: 35 2920 wmic.exe Token: SeIncreaseQuotaPrivilege 2920 wmic.exe Token: SeSecurityPrivilege 2920 wmic.exe Token: SeTakeOwnershipPrivilege 2920 wmic.exe Token: SeLoadDriverPrivilege 2920 wmic.exe Token: SeSystemProfilePrivilege 2920 wmic.exe Token: SeSystemtimePrivilege 2920 wmic.exe Token: SeProfSingleProcessPrivilege 2920 wmic.exe Token: SeIncBasePriorityPrivilege 2920 wmic.exe Token: SeCreatePagefilePrivilege 2920 wmic.exe Token: SeBackupPrivilege 2920 wmic.exe Token: SeRestorePrivilege 2920 wmic.exe Token: SeShutdownPrivilege 2920 wmic.exe Token: SeDebugPrivilege 2920 wmic.exe Token: SeSystemEnvironmentPrivilege 2920 wmic.exe Token: SeRemoteShutdownPrivilege 2920 wmic.exe Token: SeUndockPrivilege 2920 wmic.exe Token: SeManageVolumePrivilege 2920 wmic.exe Token: 33 2920 wmic.exe Token: 34 2920 wmic.exe Token: 35 2920 wmic.exe Token: SeIncreaseQuotaPrivilege 2596 wmic.exe Token: SeSecurityPrivilege 2596 wmic.exe Token: SeTakeOwnershipPrivilege 2596 wmic.exe Token: SeLoadDriverPrivilege 2596 wmic.exe Token: SeSystemProfilePrivilege 2596 wmic.exe Token: SeSystemtimePrivilege 2596 wmic.exe Token: SeProfSingleProcessPrivilege 2596 wmic.exe Token: SeIncBasePriorityPrivilege 2596 wmic.exe Token: SeCreatePagefilePrivilege 2596 wmic.exe Token: SeBackupPrivilege 2596 wmic.exe Token: SeRestorePrivilege 2596 wmic.exe Token: SeShutdownPrivilege 2596 wmic.exe Token: SeDebugPrivilege 2596 wmic.exe Token: SeSystemEnvironmentPrivilege 2596 wmic.exe Token: SeRemoteShutdownPrivilege 2596 wmic.exe Token: SeUndockPrivilege 2596 wmic.exe Token: SeManageVolumePrivilege 2596 wmic.exe Token: 33 2596 wmic.exe Token: 34 2596 wmic.exe Token: 35 2596 wmic.exe Token: SeIncreaseQuotaPrivilege 2676 wmic.exe Token: SeSecurityPrivilege 2676 wmic.exe Token: SeTakeOwnershipPrivilege 2676 wmic.exe Token: SeLoadDriverPrivilege 2676 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2780 2520 06bd1c63573a48a71310b959641d23bb.exe 28 PID 2520 wrote to memory of 2780 2520 06bd1c63573a48a71310b959641d23bb.exe 28 PID 2520 wrote to memory of 2780 2520 06bd1c63573a48a71310b959641d23bb.exe 28 PID 2520 wrote to memory of 2780 2520 06bd1c63573a48a71310b959641d23bb.exe 28 PID 2780 wrote to memory of 2920 2780 bedfiibheb.exe 29 PID 2780 wrote to memory of 2920 2780 bedfiibheb.exe 29 PID 2780 wrote to memory of 2920 2780 bedfiibheb.exe 29 PID 2780 wrote to memory of 2920 2780 bedfiibheb.exe 29 PID 2780 wrote to memory of 2596 2780 bedfiibheb.exe 32 PID 2780 wrote to memory of 2596 2780 bedfiibheb.exe 32 PID 2780 wrote to memory of 2596 2780 bedfiibheb.exe 32 PID 2780 wrote to memory of 2596 2780 bedfiibheb.exe 32 PID 2780 wrote to memory of 2676 2780 bedfiibheb.exe 34 PID 2780 wrote to memory of 2676 2780 bedfiibheb.exe 34 PID 2780 wrote to memory of 2676 2780 bedfiibheb.exe 34 PID 2780 wrote to memory of 2676 2780 bedfiibheb.exe 34 PID 2780 wrote to memory of 2180 2780 bedfiibheb.exe 36 PID 2780 wrote to memory of 2180 2780 bedfiibheb.exe 36 PID 2780 wrote to memory of 2180 2780 bedfiibheb.exe 36 PID 2780 wrote to memory of 2180 2780 bedfiibheb.exe 36 PID 2780 wrote to memory of 524 2780 bedfiibheb.exe 38 PID 2780 wrote to memory of 524 2780 bedfiibheb.exe 38 PID 2780 wrote to memory of 524 2780 bedfiibheb.exe 38 PID 2780 wrote to memory of 524 2780 bedfiibheb.exe 38 PID 2780 wrote to memory of 1240 2780 bedfiibheb.exe 40 PID 2780 wrote to memory of 1240 2780 bedfiibheb.exe 40 PID 2780 wrote to memory of 1240 2780 bedfiibheb.exe 40 PID 2780 wrote to memory of 1240 2780 bedfiibheb.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\06bd1c63573a48a71310b959641d23bb.exe"C:\Users\Admin\AppData\Local\Temp\06bd1c63573a48a71310b959641d23bb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\bedfiibheb.exeC:\Users\Admin\AppData\Local\Temp\bedfiibheb.exe 8#2#1#5#0#0#4#4#3#0#1 J05IPz0zLC4vIC5LU0FLSUQ5LB0vTT1SVkpSS0VAOjAfJ0JITlRJQDkvNzMrLh8qQ0lAOS0gLkhQTj9VQ1BbRkQ8KTQ4LyAvT0FPVkRKXVRNTD1kcHFwOSctcm12LkBBUEssTE1PKEFQTCpGTkVHHi4+TEk/R0ZEPG9QT0JCTD9MPzI4QVFAQ0swPU8+QkguNB8qRDE5KS4gLjwwPCgxICtAMD0sKR4uPzQ9KS0dL0MtOywsIC9MTkxEVDtSXktSSVI9QFk8GC1PTU9EUT9RX0RNSkA4IC9MTkxEVDtSXklBTUE5HS9EUENeUFJMORwsRVc9XUJIRExFSkI9HydGTk5UXz5OTFdSPVA8KyAvUEQ+TkpRTVRaVVJIOR0vVUU7MRsvRE8tOiAuSlNNT0lNQVtURUs7TUxASU09Q0JVUUQ7HypJU1tOUk5TQUtEOHRycWEdL1E9UlRNTklKQ1xVUj1QXj9BWU85LyAuQEdDQFg9LRwsSVJXQlhJQU1FP1xFTTtQWEtURUA5Y2Fra2MfKkRPU0pJT0A8XUhLPTItMisxMigsMDQyLi0sHS9POVBAR0xFSFtGTlJMP0tHPWZdaHBlHydSSEhFPS0wMDU3MTA1NDUgK0BMV01ETUA/X1RFSUI9NicxLi0wMTEmMDovLDg0MCpBSQ==2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version3⤵PID:2180
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version3⤵PID:524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 3723⤵
- Loads dropped DLL
- Program crash
PID:1240
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
906KB
MD55f9f9b69e702f2923ee043d01d8700a4
SHA124efbfa22795945e302e6ca2a49ab3838818a3b1
SHA256d3a47aae351ad22b7728e643a9baf1a123350da7eb2d24ad0205c825a3dc73c9
SHA5121a35e31715ad4af2cfd4c15e81bf3d2942d639ef6add6346023f89c1325b6f96d45ad8bd154cf82bee397dc71c8d238dd3c51543f474807076cd8ca065410aee
-
Filesize
161KB
MD54512019defa05ddabaf404bb9198c0d5
SHA111766c8aab95eab088817bc092668649be343081
SHA2569d9098ab22edbe4a14e9f879a1e348c480752b49db07d3856874e5f3c53c86c5
SHA5128d073a81c2314abce508664f1df2f2f3a6a1f88685ed0074832e78a3793da144d068ad82535d9c9008fa73a0fc44d8f9e7fb63ede0bc04fd05bdf0fa42802948
-
Filesize
709KB
MD53efe74a67d57c2abbf6c5a8f289d6f81
SHA13852cb98ce6aebbba64af5c14dcfdf6ac5bd2ef6
SHA2565f8210bb63dacd1bea3256130c70aa28e74cd9ae95c64c90cfe7e7f055bc1518
SHA5122bec6df117c0af059373f87371be75fe62ee5624db9c19b5a8c4a7f9de5f1df5c9e592645f6125281d169605ad44c16edcb22e033a9c0d84c17e6e7762be78a3
-
Filesize
846KB
MD53d9ff81479d0fbba6e875637ce3bfc45
SHA109ed13661778a45b6d1ea6d5c6ce66824f234b57
SHA25693bfad19c88449900e2bcdaa33d121180c9c8ef97b87746ffd78468ef0ae9fd8
SHA5126b7a2a770612c87199e6263bdb306b3c0be8d47ba59c893889491b1ebd3a76f651ecc949a33ecb91d91d428ba8b37c34231db4202d36f51237c6fa1f928ebe6d
-
Filesize
699KB
MD5f7c1ffc682cc26f0d47423822b5c20f8
SHA1e3316117c055dab15f467004acbd40f8beb5214e
SHA256e72356ffa95c5fbc60aa1bfdf0202b149db0ca0c361ec7b0d941a31f13eae836
SHA51260fe6356c20bfbcd14254a19bc8b85377390d5d4dbe548c61964d2dbad694a2dee8af10b957c4eb7e47cc1208489bdd5ec914a1cf6600bad76ff4bb6875759c5
-
Filesize
163KB
MD52dc35ddcabcb2b24919b9afae4ec3091
SHA19eeed33c3abc656353a7ebd1c66af38cccadd939
SHA2566bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA5120ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901