Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27/03/2024, 23:53
Static task
static1
Behavioral task
behavioral1
Sample
c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe
Resource
win10v2004-20240226-en
General
-
Target
c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe
-
Size
395KB
-
MD5
ef7cbea327c9b6b03723c7affa16b41d
-
SHA1
9da04d2355a9ad916a33fb0abb633b1332745e1c
-
SHA256
c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df
-
SHA512
31f19cbdb0b4dec9c79769e9c797b107d7f86f6b3742a15ac09c4baf55019c8d5c357a9d5aa6c8c9de3b32d9e9b70bb3f7c567bed5b24d02b0fffae91c1bbf0c
-
SSDEEP
6144:AjlYKRF/LReWAsUy/ZQaE3iq3f+vknFCut30+A0EjocN1L8A2R:AjauDReWfQaE3iq3Vkut30uEksq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1968 twmbjs.exe -
Loads dropped DLL 2 IoCs
pid Process 2044 c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe 2044 c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\twmbjs.exe" twmbjs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1968 2044 c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe 28 PID 2044 wrote to memory of 1968 2044 c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe 28 PID 2044 wrote to memory of 1968 2044 c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe 28 PID 2044 wrote to memory of 1968 2044 c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe"C:\Users\Admin\AppData\Local\Temp\c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\ProgramData\twmbjs.exe"C:\ProgramData\twmbjs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD541a5d28120e823c2a05a9826760707bf
SHA1a645ac2c94303c283ea2dff38ef7710a52435215
SHA256eec2383cde31cb8512e521ee1fbd3b2a03f561460110148b7fa79be13a09b4bb
SHA5126ba5678a629e48201566f3ab27408936f378bdb5ed3cf6f4a96a3fbef72a932b87d5a790fbca068319fe1a7159fef747e1fed83a19da60503d02cf53ab21aa3d
-
Filesize
136KB
MD5e80c459f053fdd59ceec0e85a4e8d155
SHA1e54b69e03838bf5e8029a2670fbcbbf90eac1f11
SHA256e088559f06b3f4caea1d06fb246da111c4b88d5e81e9f95eaa99f37e1bda9df4
SHA512719147342d7245a2bc66d4c4b6713064b7a66ad9101cb2d679c4e68a79560970081c843dfa4dfd48d6caec2c42dd0c60a6cdafacadfde513e8b57417d059af9f
-
Filesize
258KB
MD5fc9191988b426d6a3a0981a938ecdde4
SHA14b1b1d116ec6a136b29da49293f29b40a8c8bab3
SHA2564749ee11933d4c0a72d53c518b189a345c5953056758894660a6d766f08b7639
SHA512cd77e9527d95f413907d8a9d1cddb44292bb9f1af2019cbdbf63ac0d90eca4092671ea0524c4cf1ed652bca2972d54a5412b1fcdd119757f98aa3e25dd41f625