Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14/01/2024, 12:35
Static task
static1
Behavioral task
behavioral1
Sample
5b40bd174024d939d54e53284555b5c9.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5b40bd174024d939d54e53284555b5c9.exe
Resource
win10v2004-20231215-en
General
-
Target
5b40bd174024d939d54e53284555b5c9.exe
-
Size
471KB
-
MD5
5b40bd174024d939d54e53284555b5c9
-
SHA1
df3908890c1b77e5166b7b58a008151410ff5a2d
-
SHA256
0520b8cbb3869b829bfd9850132dc02192459ccae5483f0bba5d7d4acb7bcfbc
-
SHA512
20c800e2ce8a0b3577ca1b3ec5c8f1079479f51f9faff9ea2307bb81251e52a5133904ae3bbe4b047ed4e304f208753c8a6d8aac4c0192882a61e053e405b324
-
SSDEEP
6144:Vmsyd7BspOWZ+Stxo3Gc2uqy3gu88mWCMpCRWFf2Kj+m+6XmYr:BpO3StxwGc2c3tfmfsCRA22+m+8p
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2592 worker.exe -
Loads dropped DLL 1 IoCs
pid Process 2168 5b40bd174024d939d54e53284555b5c9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main worker.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2592 worker.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2592 worker.exe 2592 worker.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2592 2168 5b40bd174024d939d54e53284555b5c9.exe 28 PID 2168 wrote to memory of 2592 2168 5b40bd174024d939d54e53284555b5c9.exe 28 PID 2168 wrote to memory of 2592 2168 5b40bd174024d939d54e53284555b5c9.exe 28 PID 2168 wrote to memory of 2592 2168 5b40bd174024d939d54e53284555b5c9.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b40bd174024d939d54e53284555b5c9.exe"C:\Users\Admin\AppData\Local\Temp\5b40bd174024d939d54e53284555b5c9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\DM\worker.exe"C:\Users\Admin\AppData\Local\Temp\DM\worker.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
466KB
MD561a025a6f2355c9c2996973896678719
SHA15951b3e13d55cb991d068b2646029c720c517076
SHA256e8601b579cef0fbca4c1beb46147279aa8182091e7daa960d23ebf34bd58d9df
SHA5129c84779ab78ef31148d565f0980356164a98342f7101a42b39a51a10c28b9f38e1a7dde45de41e07529e9d07a65151b4cd28c04a1c4ed621303eeae068ab3507
-
Filesize
19KB
MD52b23c69b68708c14fc214c3454e6b1bd
SHA15c923d25c14ad13dab4f05bb1423026f873e7dc4
SHA256b2eb3b20cfa82a80207cb9fe8ea7cb28faa1b35612816b7b0052e68b9c8068bd
SHA51200135ff0664e9de5f98be600773c72025f5f338e7301ab9d10b023fef672baa2ddbe3124813352eacf8d7475f0905d68dded619aa2cc3099f10b943ff3cdb8c5