Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 21:44
Static task
static1
Behavioral task
behavioral1
Sample
e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe
Resource
win10v2004-20240226-en
General
-
Target
e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe
-
Size
463KB
-
MD5
c00715a783f0aa296a33c1178ecdfcbd
-
SHA1
72cc6b1e4bd0f2a0dac76513738420173769e36c
-
SHA256
e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7
-
SHA512
9f342be3a9a061b4dc7370976619b9f10971a277659d9e24c06f2ce5949286b17d9a4e8576ad81d17623d38396918ad6014c19748b46e42b535c74b5f83fbb05
-
SSDEEP
6144:2SPq0GvztB+u518QWyc/NFBjFKKJ5XLz0q9rdvOIO1Q1X1pvvCEm3NMsnCqO:hqPyuHWyYFBjbfLzjpvPMyfjkO
Malware Config
Signatures
-
Detects executables (downlaoders) containing URLs to raw contents of a paste 3 IoCs
resource yara_rule behavioral1/memory/2476-0-0x000000013FC30000-0x000000013FCE6000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawPaste_URL behavioral1/files/0x000d000000012309-23.dat INDICATOR_SUSPICIOUS_EXE_RawPaste_URL behavioral1/memory/2532-29-0x000000013F0D0000-0x000000013F186000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawPaste_URL -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts VjJlldytdLTQrrj.exe File opened for modification C:\Windows\system32\drivers\etc\hosts e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe -
Deletes itself 1 IoCs
pid Process 2756 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2532 VjJlldytdLTQrrj.exe 1204 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe 2532 VjJlldytdLTQrrj.exe 2532 VjJlldytdLTQrrj.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2632 sc.exe 592 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 4 IoCs
pid Process 2904 timeout.exe 2172 timeout.exe 1556 timeout.exe 2660 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe Token: SeDebugPrivilege 2532 VjJlldytdLTQrrj.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2000 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe 29 PID 2476 wrote to memory of 2000 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe 29 PID 2476 wrote to memory of 2000 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe 29 PID 2000 wrote to memory of 2632 2000 cmd.exe 31 PID 2000 wrote to memory of 2632 2000 cmd.exe 31 PID 2000 wrote to memory of 2632 2000 cmd.exe 31 PID 2476 wrote to memory of 2756 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe 32 PID 2476 wrote to memory of 2756 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe 32 PID 2476 wrote to memory of 2756 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe 32 PID 2476 wrote to memory of 2532 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe 34 PID 2476 wrote to memory of 2532 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe 34 PID 2476 wrote to memory of 2532 2476 e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe 34 PID 2756 wrote to memory of 2660 2756 cmd.exe 35 PID 2756 wrote to memory of 2660 2756 cmd.exe 35 PID 2756 wrote to memory of 2660 2756 cmd.exe 35 PID 2756 wrote to memory of 2352 2756 cmd.exe 36 PID 2756 wrote to memory of 2352 2756 cmd.exe 36 PID 2756 wrote to memory of 2352 2756 cmd.exe 36 PID 2756 wrote to memory of 2904 2756 cmd.exe 37 PID 2756 wrote to memory of 2904 2756 cmd.exe 37 PID 2756 wrote to memory of 2904 2756 cmd.exe 37 PID 2532 wrote to memory of 2376 2532 VjJlldytdLTQrrj.exe 38 PID 2532 wrote to memory of 2376 2532 VjJlldytdLTQrrj.exe 38 PID 2532 wrote to memory of 2376 2532 VjJlldytdLTQrrj.exe 38 PID 2756 wrote to memory of 1712 2756 cmd.exe 39 PID 2756 wrote to memory of 1712 2756 cmd.exe 39 PID 2756 wrote to memory of 1712 2756 cmd.exe 39 PID 2756 wrote to memory of 2172 2756 cmd.exe 41 PID 2756 wrote to memory of 2172 2756 cmd.exe 41 PID 2756 wrote to memory of 2172 2756 cmd.exe 41 PID 2376 wrote to memory of 592 2376 cmd.exe 42 PID 2376 wrote to memory of 592 2376 cmd.exe 42 PID 2376 wrote to memory of 592 2376 cmd.exe 42 PID 2756 wrote to memory of 952 2756 cmd.exe 43 PID 2756 wrote to memory of 952 2756 cmd.exe 43 PID 2756 wrote to memory of 952 2756 cmd.exe 43 PID 2756 wrote to memory of 1556 2756 cmd.exe 44 PID 2756 wrote to memory of 1556 2756 cmd.exe 44 PID 2756 wrote to memory of 1556 2756 cmd.exe 44 PID 2756 wrote to memory of 2164 2756 cmd.exe 45 PID 2756 wrote to memory of 2164 2756 cmd.exe 45 PID 2756 wrote to memory of 2164 2756 cmd.exe 45 PID 2756 wrote to memory of 1524 2756 cmd.exe 46 PID 2756 wrote to memory of 1524 2756 cmd.exe 46 PID 2756 wrote to memory of 1524 2756 cmd.exe 46 -
Views/modifies file attributes 1 TTPs 5 IoCs
pid Process 1524 attrib.exe 2352 attrib.exe 1712 attrib.exe 952 attrib.exe 2164 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe"C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config Winmgmt start= demand2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\sc.exesc config Winmgmt start= demand3⤵
- Launches sc.exe
PID:2632
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4511a201-eb1f-407b-81bf-dddac5a0ee63.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\timeout.exetimeout /T 13⤵
- Delays execution with timeout.exe
PID:2660
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe"3⤵
- Views/modifies file attributes
PID:2352
-
-
C:\Windows\system32\timeout.exetimeout /T 13⤵
- Delays execution with timeout.exe
PID:2904
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe"3⤵
- Views/modifies file attributes
PID:1712
-
-
C:\Windows\system32\timeout.exetimeout /T 13⤵
- Delays execution with timeout.exe
PID:2172
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe"3⤵
- Views/modifies file attributes
PID:952
-
-
C:\Windows\system32\timeout.exetimeout /T 13⤵
- Delays execution with timeout.exe
PID:1556
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e18670ff6332b5558d6476e065ef1655a9231fb5449bedfbf3dba249285f53d7.exe"3⤵
- Views/modifies file attributes
PID:2164
-
-
C:\Windows\system32\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4511a201-eb1f-407b-81bf-dddac5a0ee63.bat"3⤵
- Views/modifies file attributes
PID:1524
-
-
-
C:\Users\Admin\AppData\Local\Temp\VjJlldytdLTQrrj.exe"C:\Users\Admin\AppData\Local\Temp\VjJlldytdLTQrrj.exe" 12⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config Winmgmt start= demand3⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\sc.exesc config Winmgmt start= demand4⤵
- Launches sc.exe
PID:592
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e2380ce2392ba91d72810aacafcec0a3
SHA127952b102be2027108d0507719b6db11ca668045
SHA2563cbdfd2784a39b2f51bbb47a86110f66e127534e2bcd56b75d30ff6cb7f8be5d
SHA512378bcafb6f9177eadc56c482380d1e90c75cdc1f127b05f3cb53c5a76edcd077c976475055edc8b142061858d7570af4207862f66ae9716fcf929e40177e3733
-
Filesize
48B
MD5135511555b9a87da895fb2e705a9ac0d
SHA121773c7ee2300da1a513f739a353f84252f9d3d1
SHA2569a42cb2f8b76d6aa6abf61f4564f4e70bf2b2ce6f0f3869098d30fa7fe7250d8
SHA512ac2528351fca9283dde4dfde2afdc894b85e9ec85b2c78e26558dd5995a4855ce5a2f745a709d0fdc0dc73e9d4fac5196e69f2d0b077567ea7215d85d5430fc7
-
Filesize
1023B
MD57cc9babf9adf5c2cd07bdabaa3472d6f
SHA1250b4a1577ff7af4ff2bfe6c336bc6e6fe5c63bf
SHA2564fe971365dec711ff93aa70ada171228ae76a78bcefcd81cc40c77f5e0797baa
SHA51213777defa282354d7879c7a28603cdb9075235c8f4017ff31c53578846e927fa04f29f96093b2824f1528558c978630903e3bd19ef6cde63674d75a307c9150c
-
Filesize
467KB
MD5cb534af4571a972c787a08699eb4fafa
SHA13c48ae6204016079d39f125d4fb9d689c57e094d
SHA2567ec2657be9a11606ca658444bb9c0cd27fda23503b4e51771368239bccfad100
SHA512f5961f9181a5013d4d401bd000e02d6b7023fc229c0e9c4f946d0c012ede49c063dae84c7f272373dd1bf4b0c95b79ecf286da0b95930c403a6ec29bcd66a787