Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 10:01
Static task
static1
Behavioral task
behavioral1
Sample
770eccc95954d53a48c809b53776e6be.exe
Resource
win7-20231215-en
General
-
Target
770eccc95954d53a48c809b53776e6be.exe
-
Size
430KB
-
MD5
770eccc95954d53a48c809b53776e6be
-
SHA1
4e8a23f0ed1018de17abb4ad84e20805d5008585
-
SHA256
bf911f77ca0c4b0e2809423e29971342fc6439a9b6dc6baf0ab0f51ad96adc8b
-
SHA512
e2314013a7da1d9273387d1c1980a89e0645f8e4b610a35d664c869a4ec2e7ecf77da20feb2704639f8de691ff2d094fd5f314c5d9ab5074e2b1a0aebb5b470e
-
SSDEEP
6144:iTU9Hu7KpwymYXDGdkUDrFhXBlsGeli7ifP/MR8neyKSsBdk8ME0AU9D0sK/:94KKyRXDSpsG8uifP88nZ4O8gAU90sK
Malware Config
Extracted
trickbot
2000032
tot131
103.122.228.44:443
196.216.220.211:443
181.114.215.239:443
41.57.156.203:443
43.252.159.63:443
197.156.129.250:443
113.160.37.196:443
38.110.100.64:443
113.160.132.237:443
24.28.12.23:443
38.110.100.219:443
45.239.233.109:443
119.202.8.249:443
200.236.218.62:443
220.82.64.198:443
190.93.208.53:443
196.216.59.174:443
222.124.16.74:443
202.165.47.106:443
96.9.77.56:443
49.248.217.170:443
186.225.119.170:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1212 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1920 wrote to memory of 1212 1920 770eccc95954d53a48c809b53776e6be.exe 28 PID 1920 wrote to memory of 1212 1920 770eccc95954d53a48c809b53776e6be.exe 28 PID 1920 wrote to memory of 1212 1920 770eccc95954d53a48c809b53776e6be.exe 28 PID 1920 wrote to memory of 1212 1920 770eccc95954d53a48c809b53776e6be.exe 28 PID 1920 wrote to memory of 2004 1920 770eccc95954d53a48c809b53776e6be.exe 29 PID 1920 wrote to memory of 2004 1920 770eccc95954d53a48c809b53776e6be.exe 29 PID 1920 wrote to memory of 2004 1920 770eccc95954d53a48c809b53776e6be.exe 29 PID 1920 wrote to memory of 2004 1920 770eccc95954d53a48c809b53776e6be.exe 29 PID 1920 wrote to memory of 1212 1920 770eccc95954d53a48c809b53776e6be.exe 28 PID 1920 wrote to memory of 1212 1920 770eccc95954d53a48c809b53776e6be.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\770eccc95954d53a48c809b53776e6be.exe"C:\Users\Admin\AppData\Local\Temp\770eccc95954d53a48c809b53776e6be.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵PID:2004
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06