Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 23:20

General

  • Target

    06bd1c63573a48a71310b959641d23bb.exe

  • Size

    685KB

  • MD5

    06bd1c63573a48a71310b959641d23bb

  • SHA1

    fe02b7367cac1bfaee3d59fb0628219d007194a3

  • SHA256

    8b00bbecc52caff3797ac005162bb62d94777c93fd09a6c3dee621754c2cfa1e

  • SHA512

    8eed1a1fd94962fde1fcd3c3a0e8bc97ca9bd08f07f488d3eb0bdfe36405f1289d766aba77386b4fe61c004002df7339f9ca7aa50d6476bb6de135872e25ca3f

  • SSDEEP

    12288:HT/Hi+J0ggApehPUVZ1Dh5Lqu7p9I+C2fw8K6B76G4KNfc8vy4hJ/:HrC+JNgINGCs248Kg4d86K/

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06bd1c63573a48a71310b959641d23bb.exe
    "C:\Users\Admin\AppData\Local\Temp\06bd1c63573a48a71310b959641d23bb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\bedfiibheb.exe
      C:\Users\Admin\AppData\Local\Temp\bedfiibheb.exe 8#2#1#5#0#0#4#4#3#0#1 J05IPz0zLC4vIC5LU0FLSUQ5LB0vTT1SVkpSS0VAOjAfJ0JITlRJQDkvNzMrLh8qQ0lAOS0gLkhQTj9VQ1BbRkQ8KTQ4LyAvT0FPVkRKXVRNTD1kcHFwOSctcm12LkBBUEssTE1PKEFQTCpGTkVHHi4+TEk/R0ZEPG9QT0JCTD9MPzI4QVFAQ0swPU8+QkguNB8qRDE5KS4gLjwwPCgxICtAMD0sKR4uPzQ9KS0dL0MtOywsIC9MTkxEVDtSXktSSVI9QFk8GC1PTU9EUT9RX0RNSkA4IC9MTkxEVDtSXklBTUE5HS9EUENeUFJMORwsRVc9XUJIRExFSkI9HydGTk5UXz5OTFdSPVA8KyAvUEQ+TkpRTVRaVVJIOR0vVUU7MRsvRE8tOiAuSlNNT0lNQVtURUs7TUxASU09Q0JVUUQ7HypJU1tOUk5TQUtEOHRycWEdL1E9UlRNTklKQ1xVUj1QXj9BWU85LyAuQEdDQFg9LRwsSVJXQlhJQU1FP1xFTTtQWEtURUA5Y2Fra2MfKkRPU0pJT0A8XUhLPTItMisxMigsMDQyLi0sHS9POVBAR0xFSFtGTlJMP0tHPWZdaHBlHydSSEhFPS0wMDU3MTA1NDUgK0BMV01ETUA/X1RFSUI9NicxLi0wMTEmMDovLDg0MCpBSQ==
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2920
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2676
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version
        3⤵
          PID:2180
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81703919842.txt bios get version
          3⤵
            PID:524
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 372
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:1240

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\81703919842.txt

        Filesize

        66B

        MD5

        9025468f85256136f923096b01375964

        SHA1

        7fcd174999661594fa5f88890ffb195e9858cc52

        SHA256

        d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

        SHA512

        92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

      • C:\Users\Admin\AppData\Local\Temp\bedfiibheb.exe

        Filesize

        906KB

        MD5

        5f9f9b69e702f2923ee043d01d8700a4

        SHA1

        24efbfa22795945e302e6ca2a49ab3838818a3b1

        SHA256

        d3a47aae351ad22b7728e643a9baf1a123350da7eb2d24ad0205c825a3dc73c9

        SHA512

        1a35e31715ad4af2cfd4c15e81bf3d2942d639ef6add6346023f89c1325b6f96d45ad8bd154cf82bee397dc71c8d238dd3c51543f474807076cd8ca065410aee

      • C:\Users\Admin\AppData\Local\Temp\nsoB04D.tmp\guivgig.dll

        Filesize

        161KB

        MD5

        4512019defa05ddabaf404bb9198c0d5

        SHA1

        11766c8aab95eab088817bc092668649be343081

        SHA256

        9d9098ab22edbe4a14e9f879a1e348c480752b49db07d3856874e5f3c53c86c5

        SHA512

        8d073a81c2314abce508664f1df2f2f3a6a1f88685ed0074832e78a3793da144d068ad82535d9c9008fa73a0fc44d8f9e7fb63ede0bc04fd05bdf0fa42802948

      • \Users\Admin\AppData\Local\Temp\bedfiibheb.exe

        Filesize

        709KB

        MD5

        3efe74a67d57c2abbf6c5a8f289d6f81

        SHA1

        3852cb98ce6aebbba64af5c14dcfdf6ac5bd2ef6

        SHA256

        5f8210bb63dacd1bea3256130c70aa28e74cd9ae95c64c90cfe7e7f055bc1518

        SHA512

        2bec6df117c0af059373f87371be75fe62ee5624db9c19b5a8c4a7f9de5f1df5c9e592645f6125281d169605ad44c16edcb22e033a9c0d84c17e6e7762be78a3

      • \Users\Admin\AppData\Local\Temp\bedfiibheb.exe

        Filesize

        846KB

        MD5

        3d9ff81479d0fbba6e875637ce3bfc45

        SHA1

        09ed13661778a45b6d1ea6d5c6ce66824f234b57

        SHA256

        93bfad19c88449900e2bcdaa33d121180c9c8ef97b87746ffd78468ef0ae9fd8

        SHA512

        6b7a2a770612c87199e6263bdb306b3c0be8d47ba59c893889491b1ebd3a76f651ecc949a33ecb91d91d428ba8b37c34231db4202d36f51237c6fa1f928ebe6d

      • \Users\Admin\AppData\Local\Temp\bedfiibheb.exe

        Filesize

        699KB

        MD5

        f7c1ffc682cc26f0d47423822b5c20f8

        SHA1

        e3316117c055dab15f467004acbd40f8beb5214e

        SHA256

        e72356ffa95c5fbc60aa1bfdf0202b149db0ca0c361ec7b0d941a31f13eae836

        SHA512

        60fe6356c20bfbcd14254a19bc8b85377390d5d4dbe548c61964d2dbad694a2dee8af10b957c4eb7e47cc1208489bdd5ec914a1cf6600bad76ff4bb6875759c5

      • \Users\Admin\AppData\Local\Temp\nsoB04D.tmp\ZipDLL.dll

        Filesize

        163KB

        MD5

        2dc35ddcabcb2b24919b9afae4ec3091

        SHA1

        9eeed33c3abc656353a7ebd1c66af38cccadd939

        SHA256

        6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

        SHA512

        0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901