Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    0s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 00:20

General

  • Target

    217ebd8064afe605787d5e2075fdd3dd.exe

  • Size

    698KB

  • MD5

    217ebd8064afe605787d5e2075fdd3dd

  • SHA1

    e105e719427f847eff6afe30d1626699729d169a

  • SHA256

    f3459c1261078b4c3c1b5c9045f2bc3a1a43522ceaecd3ead28a2aa952b5794c

  • SHA512

    2b81eae0e4ccac587a0103de3a3046985e71e2bf2c962ca60f991af00f09e0a8ffa01f660f08c13af398cd70582505940fda2387e77e9740e972cfe4d6b88c15

  • SSDEEP

    12288:47D3AXrtoYYmphN2PEqibCISU6PzC5yMFURpgOgwfKkiSOb1erU9JgjgI:47sXrRY4hN2cqi2IqzqUROQfKkiSORwj

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\217ebd8064afe605787d5e2075fdd3dd.exe
    "C:\Users\Admin\AppData\Local\Temp\217ebd8064afe605787d5e2075fdd3dd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\cbgcabfifcca.exe
      C:\Users\Admin\AppData\Local\Temp\cbgcabfifcca.exe 7-3-0-4-9-1-6-8-6-8-9 KE1JQDQwLy0zKxcoUFU+R0g+NSoYJkdCVFNGUUVBPjUoGSxERUpTQzw3KigsMTMcJkJDPDcoFyhNUks7VD1MWUE7Ni8wMCowGidNPUlPQlJbTFFGNWJsa2k3LytqZGxuKGxfXiphbGcsXlluWSVia2ZrFy49REM7QkJBPRwmQys1JykXKEEyOSQwGic+KzQmLiArOzM3JSsYJj0yPSkoHylITEc7TkBUW0dRQ047O1A2HS9MSU4+TT1MVj5STD00HylITEc7TkBUW0VARz03QlhvXiArPFc/V09KQzZldHBnOSknZFltWmFsKmp0aCZdZ2QodGVeWG9qaylcZnBrbGtYYyk5b2xmPUk/PmxtXmRfQVs2NjUtKTIaJz9QPFhATUBDSEg9NxgmQUxTUFZBTEdRSzxLOjIcJlNCOUhDUEhSX1FJSzcYKU5ENi8gKztSKzUaJ0lOS1RFRERZTz9EOkhKRUVEQEE9T0pDNh0vRUpeTE1ITEBGQj1waXRfGClKPE1SUkpATUFXT0s8S1xEPVBSNyoaJz9CQUVUNDAaJ0NLVj1WTj1ESD1XP0Y6S1ZQUDxDN15bZGpeHS9ARlZIREk5O1hGUDkuMigqKyYoMTIuLTA2GidOQUQ+OjEwKTMrKS8sMCodL0BGVkhESTk7WFFJSTw8LCcrLiYrLTExITY0KzIyKConUEk=
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get serialnumber
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1216
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version
        3⤵
          PID:3164
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version
          3⤵
            PID:4492
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 868
            3⤵
            • Program crash
            PID:3308
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            wmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version
            3⤵
              PID:1588
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              wmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version
              3⤵
                PID:4784
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 1332
            1⤵
              PID:1472

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\cbgcabfifcca.exe

              Filesize

              92KB

              MD5

              70d0250d46ec32293e53cffd7d1b1dea

              SHA1

              6c4dce96bbff849b44c14e87c8b044223e25d57b

              SHA256

              5d2bc8884862a5a2140b47282ec4f2bb87ef358216062bfe8925c96f4e740799

              SHA512

              1e1a64c3f10bc499ee7a72fd817970f8e30f2aede8bfb055f34bddeeb63ff636bdbbf7910ac11e5d95830a52e912654832c4c9a267be71df6b5fe1b6a4e78fee

            • C:\Users\Admin\AppData\Local\Temp\nsv48B2.tmp\koi.dll

              Filesize

              120KB

              MD5

              ff3ac96d9d128501b224b26ad4b85486

              SHA1

              ce85c8ee340921b8660f6ad14b5429b3703b6bf5

              SHA256

              44b5ee3459781f5ca44873c738ca16b050b4101c49dcf8b0da556775be189963

              SHA512

              a2ab56bf0de5075817a600bb4cca472e82b8f207f5fbd886bbab3e4a8a58b7ed9acc180bbbd3c5646b9c52189962be468dc30fb48f66ade6aa87d3ec8f61e42f

            • C:\Users\Admin\AppData\Local\Temp\nsv48B2.tmp\nsisunz.dll

              Filesize

              40KB

              MD5

              5f13dbc378792f23e598079fc1e4422b

              SHA1

              5813c05802f15930aa860b8363af2b58426c8adf

              SHA256

              6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

              SHA512

              9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5