Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

e25d6621a3...4e.exe

windows7-x64

7

e25d6621a3...4e.exe

windows10-2004-x64

7

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

rigsombuds...ed.ps1

windows7-x64

8

rigsombuds...ed.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    156s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e25d6621a38cc9d1dd2428d1886a5080ceec742e8c22fe754e31f6d81eaad44e.exe

  • Size

    574KB

  • MD5

    bae2b5f2ba2e3976d19f78cd57589b43

  • SHA1

    c8cbfb695d01b52a83790146fa2ff89de37447ad

  • SHA256

    e25d6621a38cc9d1dd2428d1886a5080ceec742e8c22fe754e31f6d81eaad44e

  • SHA512

    fbaf47cfac100602fbfdf7bb3d29261c822ef5bfee8f4931ac2f6310339734ca13aadd2fb51f7f36ddc54daf59591723c69daf1eea54d71203ad3608046b70e8

  • SSDEEP

    12288:U1JKwATSHsf9/erPv2OzvwvtV9Tj20z168E7rg3ONKUHOI:UhATSMV/eL+OzGTjxzk8QOyHL

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e25d6621a38cc9d1dd2428d1886a5080ceec742e8c22fe754e31f6d81eaad44e.exe
    "C:\Users\Admin\AppData\Local\Temp\e25d6621a38cc9d1dd2428d1886a5080ceec742e8c22fe754e31f6d81eaad44e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Caenostylic=Get-Content 'C:\Users\Admin\AppData\Roaming\kolossens\livrente\markedsfringsomkostnings\rigsombudsmndenes\Vildspors\Tjenestefries\Abrased.Wig';$Benraden=$Caenostylic.SubString(44385,3);.$Benraden($Caenostylic)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
          PID:404
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1716

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ffdo4rf0.2ri.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsl6DF8.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        293165db1e46070410b4209519e67494

        SHA1

        777b96a4f74b6c34d43a4e7c7e656757d1c97f01

        SHA256

        49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

        SHA512

        97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

        Download Submit

      • C:\Users\Admin\AppData\Roaming\kolossens\livrente\markedsfringsomkostnings\rigsombudsmndenes\Vildspors\Tjenestefries\Abrased.Wig
        Filesize

        43KB

        MD5

        bdc6750fa9e7f3f0e0967e682d730c3f

        SHA1

        592f466b066cd59938eef2c53b9e41942d7cacce

        SHA256

        3bf087d329e163f4300a66e02e102e45f58d39a13acf1a116ecb946233d69aa6

        SHA512

        529621f4d8213bf2bcf9199c9b4add2c3c77461c8e1b75bc37aa1512590eb58af681f741489d023493fbb2043ba6ca4d00d6b9bab18d9e59ef3e1c8ea6ffc7eb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\kolossens\livrente\markedsfringsomkostnings\rigsombudsmndenes\Vildspors\Tjenestefries\Foregglet.Ech
        Filesize

        325KB

        MD5

        278eabc6a888eb13fa28b1feae6232e3

        SHA1

        6eda34920c123aa5af2c68fadf89ffaf8f1e56d0

        SHA256

        93d19fdb9883da0709cfbfb096d02e8addc64ed76d336f2d6920cd053068576d

        SHA512

        3eebe103b94705e6061982135d6ed5b8c4c097c2130b6cf2ac95f97e887eb242b4d172067315b00ad7ebbb9acd749dfb914b1300f364162baa4716128738bb9d

        Download Submit

      • memory/404-59-0x0000000002060000-0x0000000002D47000-memory.dmp

        Filesize

        12.9MB

        Download

      • memory/2228-40-0x0000000005D50000-0x0000000005D9C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2228-44-0x0000000006140000-0x0000000006162000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2228-25-0x0000000004F40000-0x0000000004FA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2228-26-0x0000000005020000-0x0000000005086000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2228-23-0x0000000073B30000-0x00000000742E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2228-32-0x0000000005800000-0x0000000005B54000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2228-37-0x0000000004B90000-0x0000000004BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2228-38-0x0000000004B90000-0x0000000004BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2228-39-0x0000000005C70000-0x0000000005C8E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2228-22-0x00000000051D0000-0x00000000057F8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2228-41-0x0000000004B90000-0x0000000004BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2228-42-0x00000000061D0000-0x0000000006266000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2228-43-0x00000000060F0000-0x000000000610A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2228-24-0x00000000049F0000-0x0000000004A12000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2228-45-0x00000000072C0000-0x0000000007864000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2228-21-0x0000000002300000-0x0000000002336000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2228-48-0x0000000007EF0000-0x000000000856A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2228-49-0x0000000004B90000-0x0000000004BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2228-52-0x0000000004B90000-0x0000000004BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2228-20-0x0000000004B90000-0x0000000004BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2228-54-0x0000000007210000-0x0000000007214000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2228-55-0x0000000008570000-0x0000000009257000-memory.dmp

        Filesize

        12.9MB

        Download

      • memory/2228-56-0x0000000008570000-0x0000000009257000-memory.dmp

        Filesize

        12.9MB

        Download

      • memory/2228-57-0x0000000004B90000-0x0000000004BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2228-58-0x00000000777A1000-0x00000000778C1000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2228-19-0x0000000073B30000-0x00000000742E0000-memory.dmp

        Filesize

        7.7MB

        Download