Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/03/2024, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
bc41ca8b28cefbef19913892893b6fdc.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
bc41ca8b28cefbef19913892893b6fdc.exe
Resource
win10v2004-20240226-en
General
-
Target
bc41ca8b28cefbef19913892893b6fdc.exe
-
Size
24KB
-
MD5
bc41ca8b28cefbef19913892893b6fdc
-
SHA1
7873b97f271893da5977b7033e1d1ffca194e682
-
SHA256
dc1a821510bb64fab32a16c29d554fa23f474d2e63ad250d2756a4f4c3a1501e
-
SHA512
72a12937274234100222afd02f6e31e3de607127fe5850aaa8cfb0fa2253ede0561a46cc5c080ddb6cec99e8009d61438e7fde8040c65be994a0f2f12ef41627
-
SSDEEP
384:Hw8s6S7GEsv9pWDeAFBis/QhGvsFTM9/7/qI0RSojYE0W:Hw8QGEM8DeA7i+QhGvsFgiI0RS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2876 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2792 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2924 bc41ca8b28cefbef19913892893b6fdc.exe 2924 bc41ca8b28cefbef19913892893b6fdc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\systxm32\ bc41ca8b28cefbef19913892893b6fdc.exe File created C:\Windows\systxm32\svchost.exe bc41ca8b28cefbef19913892893b6fdc.exe File opened for modification C:\Windows\systxm32\svchost.exe bc41ca8b28cefbef19913892893b6fdc.exe File created C:\Windows\systxm32\Service.exe bc41ca8b28cefbef19913892893b6fdc.exe File opened for modification C:\Windows\systxm32\ svchost.exe File created C:\Windows\install.inf bc41ca8b28cefbef19913892893b6fdc.exe File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2092 2792 WerFault.exe 28 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2792 svchost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 1420 rundll32.exe Token: SeRestorePrivilege 1420 rundll32.exe Token: SeRestorePrivilege 1420 rundll32.exe Token: SeRestorePrivilege 1420 rundll32.exe Token: SeRestorePrivilege 1420 rundll32.exe Token: SeRestorePrivilege 1420 rundll32.exe Token: SeRestorePrivilege 1420 rundll32.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2792 2924 bc41ca8b28cefbef19913892893b6fdc.exe 28 PID 2924 wrote to memory of 2792 2924 bc41ca8b28cefbef19913892893b6fdc.exe 28 PID 2924 wrote to memory of 2792 2924 bc41ca8b28cefbef19913892893b6fdc.exe 28 PID 2924 wrote to memory of 2792 2924 bc41ca8b28cefbef19913892893b6fdc.exe 28 PID 2792 wrote to memory of 2092 2792 svchost.exe 29 PID 2792 wrote to memory of 2092 2792 svchost.exe 29 PID 2792 wrote to memory of 2092 2792 svchost.exe 29 PID 2792 wrote to memory of 2092 2792 svchost.exe 29 PID 2924 wrote to memory of 1420 2924 bc41ca8b28cefbef19913892893b6fdc.exe 30 PID 2924 wrote to memory of 1420 2924 bc41ca8b28cefbef19913892893b6fdc.exe 30 PID 2924 wrote to memory of 1420 2924 bc41ca8b28cefbef19913892893b6fdc.exe 30 PID 2924 wrote to memory of 1420 2924 bc41ca8b28cefbef19913892893b6fdc.exe 30 PID 2924 wrote to memory of 1420 2924 bc41ca8b28cefbef19913892893b6fdc.exe 30 PID 2924 wrote to memory of 1420 2924 bc41ca8b28cefbef19913892893b6fdc.exe 30 PID 2924 wrote to memory of 1420 2924 bc41ca8b28cefbef19913892893b6fdc.exe 30 PID 1420 wrote to memory of 2628 1420 rundll32.exe 31 PID 1420 wrote to memory of 2628 1420 rundll32.exe 31 PID 1420 wrote to memory of 2628 1420 rundll32.exe 31 PID 1420 wrote to memory of 2628 1420 rundll32.exe 31 PID 2924 wrote to memory of 2876 2924 bc41ca8b28cefbef19913892893b6fdc.exe 32 PID 2924 wrote to memory of 2876 2924 bc41ca8b28cefbef19913892893b6fdc.exe 32 PID 2924 wrote to memory of 2876 2924 bc41ca8b28cefbef19913892893b6fdc.exe 32 PID 2924 wrote to memory of 2876 2924 bc41ca8b28cefbef19913892893b6fdc.exe 32 PID 2628 wrote to memory of 2468 2628 runonce.exe 34 PID 2628 wrote to memory of 2468 2628 runonce.exe 34 PID 2628 wrote to memory of 2468 2628 runonce.exe 34 PID 2628 wrote to memory of 2468 2628 runonce.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc41ca8b28cefbef19913892893b6fdc.exe"C:\Users\Admin\AppData\Local\Temp\bc41ca8b28cefbef19913892893b6fdc.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\systxm32\svchost.exeC:\Windows\systxm32\svchost.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 923⤵
- Program crash
PID:2092
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\install.inf2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵PID:2468
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "" .bat""2⤵
- Deletes itself
PID:2876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5397d0c0d2ee36edc74904235108f9660
SHA1edf4e335ed9a649f83a76012bd232f285fd843c2
SHA2569303dc9d19cea525ef0aa2b431b2fd642da1d9d64555ebbd7d52c49f7e1c5a02
SHA5125a560ede526be84a15618fab61147b162535195b2caceee78bd9c8100d5ff8f96cf0cbe0ac21db2d42663376ed4849ea3d0a4927065bea8ff97079b87821ccae
-
Filesize
2KB
MD59716ebac351c551a7e64d6f819ffd8b5
SHA19cdf8d7f0e5bd93138df1e2c920e73c2472d3ae6
SHA2560a36fcbaae3f4af6b4e087b0e1ec5cdf129b7e6c8c6703a5b6c1dc56082cbfec
SHA512c3db55880764af3fc9dd8de37af456919ab9f123753c68e4b48cbe410cbbd2d12f05ca241ca41f7b053602c2d01f40e77c5242d90413a3ec134967e023b02faa
-
Filesize
24KB
MD5bc41ca8b28cefbef19913892893b6fdc
SHA17873b97f271893da5977b7033e1d1ffca194e682
SHA256dc1a821510bb64fab32a16c29d554fa23f474d2e63ad250d2756a4f4c3a1501e
SHA51272a12937274234100222afd02f6e31e3de607127fe5850aaa8cfb0fa2253ede0561a46cc5c080ddb6cec99e8009d61438e7fde8040c65be994a0f2f12ef41627