Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 00:20
Static task
static1
Behavioral task
behavioral1
Sample
217ebd8064afe605787d5e2075fdd3dd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
217ebd8064afe605787d5e2075fdd3dd.exe
Resource
win10v2004-20231222-en
General
-
Target
217ebd8064afe605787d5e2075fdd3dd.exe
-
Size
698KB
-
MD5
217ebd8064afe605787d5e2075fdd3dd
-
SHA1
e105e719427f847eff6afe30d1626699729d169a
-
SHA256
f3459c1261078b4c3c1b5c9045f2bc3a1a43522ceaecd3ead28a2aa952b5794c
-
SHA512
2b81eae0e4ccac587a0103de3a3046985e71e2bf2c962ca60f991af00f09e0a8ffa01f660f08c13af398cd70582505940fda2387e77e9740e972cfe4d6b88c15
-
SSDEEP
12288:47D3AXrtoYYmphN2PEqibCISU6PzC5yMFURpgOgwfKkiSOb1erU9JgjgI:47sXrRY4hN2cqi2IqzqUROQfKkiSORwj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1332 cbgcabfifcca.exe -
Loads dropped DLL 2 IoCs
pid Process 1980 217ebd8064afe605787d5e2075fdd3dd.exe 1980 217ebd8064afe605787d5e2075fdd3dd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3308 1332 WerFault.exe 20 -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1216 wmic.exe Token: SeSecurityPrivilege 1216 wmic.exe Token: SeTakeOwnershipPrivilege 1216 wmic.exe Token: SeLoadDriverPrivilege 1216 wmic.exe Token: SeSystemProfilePrivilege 1216 wmic.exe Token: SeSystemtimePrivilege 1216 wmic.exe Token: SeProfSingleProcessPrivilege 1216 wmic.exe Token: SeIncBasePriorityPrivilege 1216 wmic.exe Token: SeCreatePagefilePrivilege 1216 wmic.exe Token: SeBackupPrivilege 1216 wmic.exe Token: SeRestorePrivilege 1216 wmic.exe Token: SeShutdownPrivilege 1216 wmic.exe Token: SeDebugPrivilege 1216 wmic.exe Token: SeSystemEnvironmentPrivilege 1216 wmic.exe Token: SeRemoteShutdownPrivilege 1216 wmic.exe Token: SeUndockPrivilege 1216 wmic.exe Token: SeManageVolumePrivilege 1216 wmic.exe Token: 33 1216 wmic.exe Token: 34 1216 wmic.exe Token: 35 1216 wmic.exe Token: 36 1216 wmic.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1980 wrote to memory of 1332 1980 217ebd8064afe605787d5e2075fdd3dd.exe 20 PID 1980 wrote to memory of 1332 1980 217ebd8064afe605787d5e2075fdd3dd.exe 20 PID 1980 wrote to memory of 1332 1980 217ebd8064afe605787d5e2075fdd3dd.exe 20 PID 1332 wrote to memory of 1216 1332 cbgcabfifcca.exe 22 PID 1332 wrote to memory of 1216 1332 cbgcabfifcca.exe 22 PID 1332 wrote to memory of 1216 1332 cbgcabfifcca.exe 22
Processes
-
C:\Users\Admin\AppData\Local\Temp\217ebd8064afe605787d5e2075fdd3dd.exe"C:\Users\Admin\AppData\Local\Temp\217ebd8064afe605787d5e2075fdd3dd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\cbgcabfifcca.exeC:\Users\Admin\AppData\Local\Temp\cbgcabfifcca.exe 7-3-0-4-9-1-6-8-6-8-9 KE1JQDQwLy0zKxcoUFU+R0g+NSoYJkdCVFNGUUVBPjUoGSxERUpTQzw3KigsMTMcJkJDPDcoFyhNUks7VD1MWUE7Ni8wMCowGidNPUlPQlJbTFFGNWJsa2k3LytqZGxuKGxfXiphbGcsXlluWSVia2ZrFy49REM7QkJBPRwmQys1JykXKEEyOSQwGic+KzQmLiArOzM3JSsYJj0yPSkoHylITEc7TkBUW0dRQ047O1A2HS9MSU4+TT1MVj5STD00HylITEc7TkBUW0VARz03QlhvXiArPFc/V09KQzZldHBnOSknZFltWmFsKmp0aCZdZ2QodGVeWG9qaylcZnBrbGtYYyk5b2xmPUk/PmxtXmRfQVs2NjUtKTIaJz9QPFhATUBDSEg9NxgmQUxTUFZBTEdRSzxLOjIcJlNCOUhDUEhSX1FJSzcYKU5ENi8gKztSKzUaJ0lOS1RFRERZTz9EOkhKRUVEQEE9T0pDNh0vRUpeTE1ITEBGQj1waXRfGClKPE1SUkpATUFXT0s8S1xEPVBSNyoaJz9CQUVUNDAaJ0NLVj1WTj1ESD1XP0Y6S1ZQUDxDN15bZGpeHS9ARlZIREk5O1hGUDkuMigqKyYoMTIuLTA2GidOQUQ+OjEwKTMrKS8sMCodL0BGVkhESTk7WFFJSTw8LCcrLiYrLTExITY0KzIyKConUEk=2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version3⤵PID:3164
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version3⤵PID:4492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 8683⤵
- Program crash
PID:3308
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version3⤵PID:1588
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81704410245.txt bios get version3⤵PID:4784
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1332 -ip 13321⤵PID:1472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD570d0250d46ec32293e53cffd7d1b1dea
SHA16c4dce96bbff849b44c14e87c8b044223e25d57b
SHA2565d2bc8884862a5a2140b47282ec4f2bb87ef358216062bfe8925c96f4e740799
SHA5121e1a64c3f10bc499ee7a72fd817970f8e30f2aede8bfb055f34bddeeb63ff636bdbbf7910ac11e5d95830a52e912654832c4c9a267be71df6b5fe1b6a4e78fee
-
Filesize
120KB
MD5ff3ac96d9d128501b224b26ad4b85486
SHA1ce85c8ee340921b8660f6ad14b5429b3703b6bf5
SHA25644b5ee3459781f5ca44873c738ca16b050b4101c49dcf8b0da556775be189963
SHA512a2ab56bf0de5075817a600bb4cca472e82b8f207f5fbd886bbab3e4a8a58b7ed9acc180bbbd3c5646b9c52189962be468dc30fb48f66ade6aa87d3ec8f61e42f
-
Filesize
40KB
MD55f13dbc378792f23e598079fc1e4422b
SHA15813c05802f15930aa860b8363af2b58426c8adf
SHA2566e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA5129270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5