Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 03:08
Static task
static1
Behavioral task
behavioral1
Sample
0c8892b46f2e58ca0ef0789ec0a1ef76.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0c8892b46f2e58ca0ef0789ec0a1ef76.exe
Resource
win10v2004-20231215-en
General
-
Target
0c8892b46f2e58ca0ef0789ec0a1ef76.exe
-
Size
688KB
-
MD5
0c8892b46f2e58ca0ef0789ec0a1ef76
-
SHA1
32f4e5c400c29aecd3f8066349a512a6fb6364c7
-
SHA256
9007c66480b01bc7facc0b0c16c7946460443d5ec9d69faf31a975ef6be212b6
-
SHA512
b6dfac695fb1eebd4997e0a1320b78ce4d6a017cb22d6b347ea3c407b557a558a5ce961e04beaddb3ff0f4d807482b335ac1f5edfc6e41afe75d8f20fc5bc2e0
-
SSDEEP
12288:DNUSFUl3DT1KoBfh4boHZXdo3zEYWgF3Z4mxxsDqVTVOCp8:5Lw3Dnf6oHZXe3zEbgQmXLVTzp8
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2704 4.exe 2680 svghost.exe 784 4.exe -
Loads dropped DLL 4 IoCs
pid Process 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0c8892b46f2e58ca0ef0789ec0a1ef76.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\svghost.exe 4.exe File opened for modification C:\Windows\svghost.exe 4.exe File created C:\Windows\uninstal.bat 4.exe File opened for modification C:\Windows\svghost.exe 4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2704 4.exe Token: SeDebugPrivilege 2680 svghost.exe Token: SeDebugPrivilege 784 4.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2680 svghost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2704 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe 28 PID 2416 wrote to memory of 2704 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe 28 PID 2416 wrote to memory of 2704 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe 28 PID 2416 wrote to memory of 2704 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe 28 PID 2680 wrote to memory of 1716 2680 svghost.exe 30 PID 2680 wrote to memory of 1716 2680 svghost.exe 30 PID 2680 wrote to memory of 1716 2680 svghost.exe 30 PID 2680 wrote to memory of 1716 2680 svghost.exe 30 PID 2704 wrote to memory of 2968 2704 4.exe 31 PID 2704 wrote to memory of 2968 2704 4.exe 31 PID 2704 wrote to memory of 2968 2704 4.exe 31 PID 2704 wrote to memory of 2968 2704 4.exe 31 PID 2704 wrote to memory of 2968 2704 4.exe 31 PID 2704 wrote to memory of 2968 2704 4.exe 31 PID 2704 wrote to memory of 2968 2704 4.exe 31 PID 2416 wrote to memory of 784 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe 33 PID 2416 wrote to memory of 784 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe 33 PID 2416 wrote to memory of 784 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe 33 PID 2416 wrote to memory of 784 2416 0c8892b46f2e58ca0ef0789ec0a1ef76.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c8892b46f2e58ca0ef0789ec0a1ef76.exe"C:\Users\Admin\AppData\Local\Temp\0c8892b46f2e58ca0ef0789ec0a1ef76.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat3⤵PID:2968
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\svghost.exeC:\Windows\svghost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5f111806cad97ae8758f64783e61a770f
SHA18f62303bb5f83bd40402f00f2b84d404948a7d47
SHA2561308ffa077b72f8490dc7d98d43e69fad051b1b00c4c1b2960cc6d76d239823d
SHA512393645b83eb32f380fce125ae895cea9403893b119399972f3ac3077668a9dc9e6f11799c3fb5793355750cff64521fad5bea72ff5f425f763c7acf5da0586be
-
Filesize
727KB
MD58d27ea6c18b584956c58f192cc36091b
SHA1c7c487b6e8e72e1410cab83807c6f2b578710c50
SHA2560b2b615263cd7ee9fea8b4679a7215d958f292fb7bf5454e01703de46e6db970
SHA512b2fc4c0c308e0f21f86f227ee1bcdacd4eca584a26f0731e02028c209827f3cc47d330e58ed9df39e0955c02230360a69eddd7d05a85d7aad99ff49b6d229800
-
Filesize
239KB
MD5c1ec8fecbba35117c1d8f12765abfead
SHA1577e9365b2f325d2d412d9974dce50455cbbc364
SHA2564d77694d587e819d1bf8c3400b9e089ab08485650e6c3e2c11c4982b17263b44
SHA5124bad12e10b0a613aa22ffaf22df3cba9674145c9247e4883f0db681bfb333e0c2e731567799797ff70a044a525a8a0b37e74a971290abe0a552a3feb6411b7b1
-
Filesize
785KB
MD51318f463852de4d46708222a129992d1
SHA156f0a2dd207bb4cb4d17c6fab6634e5b69be4ee1
SHA2561b93312ca05dd5036147b919acf43868439a6bc350fbd2175299918794a311a7
SHA5127ecffc405c76dc21a596aabba382a51ebb47145d5ea6740054b6948b1d791cfe2bdac39fe0e8053be25c23d623078c263a85f2d3c71f4a4f49b64f2dd9b65438
-
Filesize
150B
MD55edd682a8b1f2bf873300774f954ab03
SHA12cca4e743d02dbccf31b784ea26a60c03dcc9637
SHA256a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a
SHA512916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2
-
Filesize
701KB
MD54fc439d7978d4ec65e9d1bc03a237464
SHA1701ca4499bfbbf9f4eee8395015453281ca50c59
SHA25617139bf614371665c5ea6c96b9e440e8e4f1e2074b4083193b17f965decb8d88
SHA5121a248a0fa013f0d1692a563aaef42d7130e9437cae27efc9f7a4c5c51e9471b694e9627f8772e88b4dd0fc1c6354ffa15de68c35e38c8944cbbd5e79b584b7bf
-
Filesize
394KB
MD5ef69673663a47e4f0a27bd077b52859f
SHA1441238a4a93efdc293fd02a15f9f6fc264fa1d96
SHA25671e57b1529fc72009147bcd0f2ce3faecccad2e55289f0a2e05dc2033e070ecc
SHA512987c27b6585c39a784ad97c91fb05858069ded0f7debb7694a50aeddf69f59911a2213e90c97da3c91c70569e92070694beb0d033ef25ee0b2d572688cdbdce5