Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2024, 14:50

General

  • Target

    bc13b97d581d8a5a01a44d52d73fcdfa.exe

  • Size

    56KB

  • MD5

    bc13b97d581d8a5a01a44d52d73fcdfa

  • SHA1

    6bb7f2ddc069ca127b8ab9ce51e9dda0a6575752

  • SHA256

    d94c18212f6b528c1b2c419d05393f8efcd012c2c1e0e2a0abc33de0937fb84b

  • SHA512

    b4de24c98eab1e124b1dbde25d07beabc6f85efb77c3f5cf957b395029a9194b1df6c26dee48f6caa3944c50c55330c0ddc9361e026ab27fe9f9856589e5c4ec

  • SSDEEP

    768:coOjbhlc7sUoQnAz3ppOo0QJSHijv5js/wJJQzGeSXfT+DYwiREEpZFQlGGZc2OS:1OPhlosUoAarDX1JJcgTlEEXFwlu2Nl

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc13b97d581d8a5a01a44d52d73fcdfa.exe
    "C:\Users\Admin\AppData\Local\Temp\bc13b97d581d8a5a01a44d52d73fcdfa.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\ife.txt "C:\PROGRA~1\INTERN~1\ieframe.dll" /a
      2⤵
      • Drops file in Program Files directory
      PID:2460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ife.txt

    Filesize

    19.6MB

    MD5

    2d6ed0d30c76f5cb41bd92158ff355fa

    SHA1

    2a6924eb69628e8b3c06431777795f28f385d7f3

    SHA256

    2ec5968f8de972eda2a80fa52bdc49ec2439f6d1ca067eb82dbc3a9137517040

    SHA512

    4b241d3865e76d6a1451ed636e4292993a9dd167fde625b4c730aedf593fc008420338e86e5da9a02d264cd52b3857b844796dd144e26e0f33969db4b421c779

  • \Users\Admin\AppData\Local\Temp\nsy4BB2.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    e54eb27fb5048964e8d1ec7a1f72334b

    SHA1

    2b76d7aedafd724de96532b00fbc6c7c370e4609

    SHA256

    ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

    SHA512

    c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

  • \Users\Admin\AppData\Local\Temp\nsy4BB2.tmp\time.dll

    Filesize

    10KB

    MD5

    38977533750fe69979b2c2ac801f96e6

    SHA1

    74643c30cda909e649722ed0c7f267903558e92a

    SHA256

    b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

    SHA512

    e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53