Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 00:22
Static task
static1
Behavioral task
behavioral1
Sample
7bab1e52e363808e714cd6bd40b2abdb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7bab1e52e363808e714cd6bd40b2abdb.exe
Resource
win10v2004-20231215-en
General
-
Target
7bab1e52e363808e714cd6bd40b2abdb.exe
-
Size
196KB
-
MD5
7bab1e52e363808e714cd6bd40b2abdb
-
SHA1
ccc41dc1d7f9046803afb9270e46e2417f9dffcc
-
SHA256
9affd5767d8dfca4eacbd784c705e794ba0e84c6f800f5db54cc6e6462fd33ae
-
SHA512
a165f5744be90ebb906f8598dc266a7ee8da1871e901b757a8feb8809d4b30a237c6d7292cde49e7c8fc1f602af61be9148afa5f5342c1b7ac119cdf3a53962f
-
SSDEEP
3072:3jz72q/WK0bhEAYVLZ+gkvFo61pLbTOPqWj2VkqdJVZhdkL0rdeU2RyUbl:Tn2O10bZgio619OSW6VxkL0rx2Jp
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Server IIS\Parameters\ServiceDll = "C:\\Windows\\system32\\System64.dll" 7bab1e52e363808e714cd6bd40b2abdb.exe -
Loads dropped DLL 2 IoCs
pid Process 4476 svchost.exe 4476 svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\KMe.bat 7bab1e52e363808e714cd6bd40b2abdb.exe File created C:\Windows\SysWOW64\System64.dat 7bab1e52e363808e714cd6bd40b2abdb.exe File created C:\Windows\SysWOW64\System64.dll 7bab1e52e363808e714cd6bd40b2abdb.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2876 wrote to memory of 3936 2876 7bab1e52e363808e714cd6bd40b2abdb.exe 87 PID 2876 wrote to memory of 3936 2876 7bab1e52e363808e714cd6bd40b2abdb.exe 87 PID 2876 wrote to memory of 3936 2876 7bab1e52e363808e714cd6bd40b2abdb.exe 87 PID 3936 wrote to memory of 416 3936 7bab1e52e363808e714cd6bd40b2abdb.exe 89 PID 3936 wrote to memory of 416 3936 7bab1e52e363808e714cd6bd40b2abdb.exe 89 PID 3936 wrote to memory of 416 3936 7bab1e52e363808e714cd6bd40b2abdb.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bab1e52e363808e714cd6bd40b2abdb.exe"C:\Users\Admin\AppData\Local\Temp\7bab1e52e363808e714cd6bd40b2abdb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\7bab1e52e363808e714cd6bd40b2abdb.exeC:\Users\Admin\AppData\Local\Temp\7bab1e52e363808e714cd6bd40b2abdb.exe -Nod322⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\KMe.bat3⤵PID:416
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netservice1⤵
- Loads dropped DLL
PID:4476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86B
MD508dbc88559153e25c1c270ff560b78c3
SHA12e5543095a0fde6bc19d9aaf9509c886c7ac1888
SHA256c67b66815822ef5ed2034b1e055cc7bd0bf0baa7de372f5ac104179016f2e83c
SHA5122bc14ac0e794561bf1125aba62b5345ee60feb2dbc1f78f89c9da2c5fa14c0009adb5488e5ca30284958c662baa8dce0733a9878550657cf4fd8972103262abe
-
Filesize
162B
MD59d79c36a32c496b4eab94f41fdbcafe3
SHA1fb54bc76b9278278fc6b3ff80b2d4051ee48f1aa
SHA256755f39cf6ab09cc5a744badd333788673730753cd675053259b792e0d8659058
SHA51245862b88ab588414b5949db64af3c3a56234d79bd1a55923b9792cd2e742ad4c50088f38fcd3bd738ff62647c2fded4dd265e16fd54d72755260d27a940c6cd3
-
Filesize
350KB
MD503b916047d02feed651d439f9e400278
SHA16461a866bf5656eeb56131da5e8135ff995a281b
SHA25689b66dcd8e9bd28fda16bc11f085074c24b135a16768c52bbe3a41938875b6e8
SHA512f463e44bf1b8bac11702b78ad156032c0178a4b9c246788813bd50d54da8b2d2c46ea0ac966571f218ae7befe86b266874e2ade440aaf87183d433a8c0794f85