Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 02:55
Static task
static1
Behavioral task
behavioral1
Sample
2553c5f252ae715435fe09cec92f444d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2553c5f252ae715435fe09cec92f444d.exe
Resource
win10v2004-20231215-en
General
-
Target
2553c5f252ae715435fe09cec92f444d.exe
-
Size
1.1MB
-
MD5
2553c5f252ae715435fe09cec92f444d
-
SHA1
44343ef1fc3b15b7866ef6170836a1f36be3a258
-
SHA256
a320ad98e8b6806b5b51ec489ae27f0b7400c078de79513308e51a8702ccef64
-
SHA512
7fc88d4b20b008c991f58a5fe10508cec62dc4905c5e81adafa2b686e0662450f1600f989eb92c1d2c5eb579455de799fce5a26bbdc28d9d57c46557ba467a3f
-
SSDEEP
24576:Ok6+c2dkF9VoDm7zq3yRozWrj0xSlIQBd0X2tAJqFVchzvsre:ObLre3yOzWMc2QBdBqJqF8sre
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1048 RFQ_INVOICE-09876543234567654rcs.exe -
Loads dropped DLL 4 IoCs
pid Process 2156 2553c5f252ae715435fe09cec92f444d.exe 2156 2553c5f252ae715435fe09cec92f444d.exe 2156 2553c5f252ae715435fe09cec92f444d.exe 2156 2553c5f252ae715435fe09cec92f444d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 800 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1048 RFQ_INVOICE-09876543234567654rcs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 800 AcroRd32.exe 800 AcroRd32.exe 800 AcroRd32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2156 wrote to memory of 800 2156 2553c5f252ae715435fe09cec92f444d.exe 29 PID 2156 wrote to memory of 800 2156 2553c5f252ae715435fe09cec92f444d.exe 29 PID 2156 wrote to memory of 800 2156 2553c5f252ae715435fe09cec92f444d.exe 29 PID 2156 wrote to memory of 800 2156 2553c5f252ae715435fe09cec92f444d.exe 29 PID 2156 wrote to memory of 1048 2156 2553c5f252ae715435fe09cec92f444d.exe 30 PID 2156 wrote to memory of 1048 2156 2553c5f252ae715435fe09cec92f444d.exe 30 PID 2156 wrote to memory of 1048 2156 2553c5f252ae715435fe09cec92f444d.exe 30 PID 2156 wrote to memory of 1048 2156 2553c5f252ae715435fe09cec92f444d.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2553c5f252ae715435fe09cec92f444d.exe"C:\Users\Admin\AppData\Local\Temp\2553c5f252ae715435fe09cec92f444d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\INVOICE.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:800
-
-
C:\Users\Admin\AppData\Local\Temp\RFQ_INVOICE-09876543234567654rcs.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_INVOICE-09876543234567654rcs.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD56823bc6c640db5b4e2e4a9587186a29f
SHA14181714d266d95c5eece874e1e8132b4326cae29
SHA2560fba51f53a7587f6b2d0e6faebefb8b775b664c93d71d9fb27879730f44af257
SHA5128e9d35c7924b3ff11a402a1b93c0b1732772265c2124cd7cfd7310490b126ef2bd07511491e3b54d2abfcc1cef020bad5992ea3c60d0f9e3538a3a1c88eb11b2
-
Filesize
547KB
MD5ee4d4bbd7afff7a0a4fc1c8bec65f25d
SHA1f5e4d70e182823ee69fe64355608e972da7a4378
SHA256fecf840a3cc9fc85c5b2cc699be382cfc2e99cdc0d732bbf1f66d2470f83a1b0
SHA5120a8af0682d9b9c657a08196ad38a2f3cb64a337a8d89a7c74973f98a30d7d774917cb6707d5a2df331a0be7e3e7d1726ff867cb9714db560299757c6b95767fa
-
Filesize
437KB
MD5ca6b0656ef88247d9f03364c39f4533f
SHA18c460518e7b0a98eb6fdb484b3da117cad67809c
SHA256e28e601d2dfd4b2cec27bf1117cf2d01ba66e85b2cce66c92c56ba4aa5fb0943
SHA51248d069bfe0cc159654f019783d6b603fef969b3795292b852cfb7a5169da18352930fb780737f814b3c1884c6cd85588d120956da6bb92a4c0390f81a77bae95
-
Filesize
857KB
MD59a16d09eebd4c93cea8c716fffd54329
SHA19b55d19f61d731d7d19a52b30bc7a71d2ebd5201
SHA256b409ee566ea7f96da11cb8ede84a5069e907cc107390a8c315f31f30260904d4
SHA512116bb48b3bab8fa4fb15576171bb90ba6639032038d2647ad1fc60288a1063a52daf5bf1090e2da012d0883e8becc3c5e55e1f971c87ec8079e40cdddb017c24
-
Filesize
3KB
MD58016a9c5c8fac1fa934ec15000c26de0
SHA1bcbceb300caf6de5d3960633c7964d91b18e9070
SHA2566dda811c95df7c34e2d49b788bd0fc019936b9e804d8dc40455a6aa66d918e7e
SHA51282759675f78c36fbeafc2119eae8789a957d38e2a9b593f2510f69658b4a95b6d6efa9b8f13c6e91e41150f4bbeb19deed2a78e1a3d457b593aab564820ee44b
-
Filesize
799KB
MD52303127de5645f8110e3d15f57b2401f
SHA1489f6c68cc63e0f49f87fa1116a58b8d42c96673
SHA2563ba8627cf01f564909dac155386f73ceb5ac40004dd28a7dc4b5cb89545531eb
SHA512a57419538e0f49e93c106f59b91903475070493bb77122b0f952c9ce669c6f394bde19b55f7f4b58ecd2034f4ac7ec3b58e261fd1a2525f72be5d5974e672e33
-
Filesize
19KB
MD55d1e851677f528f9b0ba1340dd2c70fd
SHA176a842d78af3b9e862ef4c794962e1f72b1fe688
SHA256620ecc42d510ced78331c99c2297e9829e2a2d6d5ac048026c3258264ef2b6f5
SHA5121cf872fc211cfce25a617c3486f020e4e94c505ef1ac6e56dc6fd2063c45b148a9231eb21cf08c56baef707bf9ad68517980fc4b245246812d7ba86fe3ad018e
-
Filesize
632KB
MD5a129313cfbf60746a8be0ad4c7fd8ae6
SHA103868cf20e2caf40345c32a16f7703eee8fb43c4
SHA256e6d1d3c653d8db899a05d6d14da90c629afc2f0a2b5c306fdd21ea295ca0b8ac
SHA5120d7e77d3fad135e6fd6d78821654d989a835f5173be82246d4a6d70e3351309d757cf9975c1ea7f78b9035958bf8c20f08ed055ff810fdebcf22f8b6eefab4a2
-
Filesize
725KB
MD53ee489abb8305f88991b41e8e89c0f73
SHA1b8e61e78fb73c267b36f03233cd7f752fd24aae7
SHA2562bd745ef9a7d96dad747b123292807f33a1e39ff6fccbd4f462eef7d0961ac3c
SHA51273779db10f4ef28cb1ace78f795d46478b10cb64687f0026b49bd0ce6be575726e108e432348ecb2a735da47106f17ac3d68d45b0bffb7078c5b4cdb3fbc752d