Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 02:23
Static task
static1
Behavioral task
behavioral1
Sample
69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Malemutes/Nonprecedent.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Malemutes/Nonprecedent.ps1
Resource
win10v2004-20240226-en
General
-
Target
69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe
-
Size
623KB
-
MD5
69893879dfb7420cc301c2097d529607
-
SHA1
f5d0929b50cb25555d6470946f76832a3f6fd13b
-
SHA256
69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923
-
SHA512
601665e12a529342586f0f85fe27682b20841a2c62c7ad0f2454d79ac3bc56c647e3f7d3147b3a33dc58b7e549c3e7efc42dbedf73cf5e8357421bc38e826398
-
SSDEEP
12288:ylR3Rtp9Jt7SEgUceFLX2YRJpNpRyOArULAHW9O9k:Y3Rtp9JamphWALAGOO
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1616 powershell.exe 2388 Computerbaseredes.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 drive.google.com 5 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2388 Computerbaseredes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1616 powershell.exe 2388 Computerbaseredes.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1616 set thread context of 2388 1616 powershell.exe 34 PID 2388 set thread context of 1200 2388 Computerbaseredes.exe 21 PID 2388 set thread context of 2588 2388 Computerbaseredes.exe 37 PID 2588 set thread context of 1200 2588 mstsc.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1616 powershell.exe 1616 powershell.exe 1616 powershell.exe 1616 powershell.exe 1616 powershell.exe 1616 powershell.exe 1616 powershell.exe 1616 powershell.exe 2388 Computerbaseredes.exe 2388 Computerbaseredes.exe 2388 Computerbaseredes.exe 2388 Computerbaseredes.exe 2388 Computerbaseredes.exe 2388 Computerbaseredes.exe 2388 Computerbaseredes.exe 2388 Computerbaseredes.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe 2588 mstsc.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1616 powershell.exe 2388 Computerbaseredes.exe 1200 Explorer.EXE 1200 Explorer.EXE 2588 mstsc.exe 2588 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1616 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2776 wrote to memory of 1616 2776 69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe 28 PID 2776 wrote to memory of 1616 2776 69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe 28 PID 2776 wrote to memory of 1616 2776 69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe 28 PID 2776 wrote to memory of 1616 2776 69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe 28 PID 1616 wrote to memory of 2656 1616 powershell.exe 30 PID 1616 wrote to memory of 2656 1616 powershell.exe 30 PID 1616 wrote to memory of 2656 1616 powershell.exe 30 PID 1616 wrote to memory of 2656 1616 powershell.exe 30 PID 1616 wrote to memory of 2388 1616 powershell.exe 34 PID 1616 wrote to memory of 2388 1616 powershell.exe 34 PID 1616 wrote to memory of 2388 1616 powershell.exe 34 PID 1616 wrote to memory of 2388 1616 powershell.exe 34 PID 1616 wrote to memory of 2388 1616 powershell.exe 34 PID 1616 wrote to memory of 2388 1616 powershell.exe 34 PID 1200 wrote to memory of 2588 1200 Explorer.EXE 37 PID 1200 wrote to memory of 2588 1200 Explorer.EXE 37 PID 1200 wrote to memory of 2588 1200 Explorer.EXE 37 PID 1200 wrote to memory of 2588 1200 Explorer.EXE 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe"C:\Users\Admin\AppData\Local\Temp\69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -windowstyle hidden "$Gynecide=Get-Content 'C:\Users\Admin\AppData\Local\Epicoeliac\Malemutes\Nonprecedent.Fod';$Porbeagle=$Gynecide.SubString(53926,3);.$Porbeagle($Gynecide)"3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"4⤵PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\Computerbaseredes.exe"C:\Users\Admin\AppData\Local\Temp\Computerbaseredes.exe"4⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2388
-
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
326KB
MD577268bb2b770c8b4aa6add0774e02577
SHA15f58fffeae17ebbd08c301ecefc7371732343117
SHA2564329ef95e4dfbaf5766b6068ded0a1e3d694fa8cdba5e65a02be6e3a63dfd455
SHA512fd919425f4cfd5fb11817aad8dc45a572f7c0c32a3e3d5ca8338cf8667e47a12e6e9d14bf3fc174e237b0a7bacb172cad91ac92da992a49b48628f8e9e4e2d91
-
Filesize
52KB
MD5d70cc7a86c607e5511048fe2b3242bf9
SHA17533500bfb680dc5fcea3e37fd2eca0385990376
SHA2569be2c4093ac767d9ec1aa035a7a8139fac9347068f303e1ef583b4d1f8dedd2b
SHA51205052e82d38f94ff7eb6ed89a7fd9041c20d03eba7d6d193c3fe85c628605c70fa8cb2dbb1e44ee721c8143bbcb6e5caf72c24acb134628d967e757b18d158ff
-
Filesize
623KB
MD569893879dfb7420cc301c2097d529607
SHA1f5d0929b50cb25555d6470946f76832a3f6fd13b
SHA25669ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923
SHA512601665e12a529342586f0f85fe27682b20841a2c62c7ad0f2454d79ac3bc56c647e3f7d3147b3a33dc58b7e549c3e7efc42dbedf73cf5e8357421bc38e826398