Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 22:38
Static task
static1
Behavioral task
behavioral1
Sample
5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe
Resource
win10v2004-20240426-en
General
-
Target
5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe
-
Size
12KB
-
MD5
654bb6eb55d613bf3d91b448eaa473a4
-
SHA1
fffeaa09369ed614a787528d63e80b174fa955f8
-
SHA256
5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8
-
SHA512
95d9971db036ff91c6c2fa9be7be74aed5e8b77ecdeb2559ef7d72958ba54d70d1420a44f7b92f4bc828c0c691b45fb618aa9239ccc20846ae79b3a7a548e75b
-
SSDEEP
384:zL7li/2zHq2DcEQvdhcJKLTp/NK9xaZp:XbM/Q9cZp
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2680 tmp1085.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2680 tmp1085.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2364 5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2364 5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2300 2364 5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe 28 PID 2364 wrote to memory of 2300 2364 5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe 28 PID 2364 wrote to memory of 2300 2364 5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe 28 PID 2364 wrote to memory of 2300 2364 5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe 28 PID 2300 wrote to memory of 2544 2300 vbc.exe 30 PID 2300 wrote to memory of 2544 2300 vbc.exe 30 PID 2300 wrote to memory of 2544 2300 vbc.exe 30 PID 2300 wrote to memory of 2544 2300 vbc.exe 30 PID 2364 wrote to memory of 2680 2364 5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe 31 PID 2364 wrote to memory of 2680 2364 5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe 31 PID 2364 wrote to memory of 2680 2364 5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe 31 PID 2364 wrote to memory of 2680 2364 5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe"C:\Users\Admin\AppData\Local\Temp\5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qtfothdb\qtfothdb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11AD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F293602BAFA4FD7A750D42B98D288CD.TMP"3⤵PID:2544
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1085.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1085.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e0cc496447774b55a05fa60566b7b6df
SHA1b1d3377e552cab3c4e069085bf588b1f4d88d4cd
SHA2564c9653e493f406ffae4abb65fe82b48d9d1407f3c6e02cb4a56dbe0535fae898
SHA5128a0bf85e41d9920e30140b292570b91996d45142bbdf4e485dfaa1e6440c2e5eae50a8c48321c6f93142b9b2b6ca5e25f4797d28741d65568de672cc8c20294c
-
Filesize
1KB
MD529c99368d09000c8cab6ff0ed04a0349
SHA1ebd87d339e20650b994b97c426ba2c9303beb729
SHA2563ef50b1f98a3f04bc4bb733261096c6b9147ef1b8b4f541206790a9e1d3b710e
SHA512e4fd67103675d8b5351754c4da252632703ef13985dba7f14be8c5015556c3ed859a049d7814bb822d342e80d7bb4d2bbc1d97589a2024277da60260e8ca9ab1
-
Filesize
2KB
MD5a28f799115c2ca7780e40c5775a00594
SHA1ee4853760bf3e51e67e21eaab3daa31bd1955de0
SHA25639b377e84b9e99d33fe69191e039252c97919745ede8f7c777fd885a0f65ec01
SHA5124fc469328b6958b2a2bdf50809d996e974e3724c10c03d32a80abdb843a2375d940325211878428b0384b83e3fbb1c77dff16f06c9f5cd97fc4910623cd12cc2
-
Filesize
273B
MD5abfd884b165723527b854108a72a403e
SHA151ab0a53239d962a9bc8cbc065477ffb123daad3
SHA2569a31606f500943e8a8a010aa1fbf3fd9d5cd16e936941001b1799ea80ebc72fd
SHA51252130115e0439edba2d415f6a7c36191c9734cd2c00fabcde3e58aa3cc8d7c8fee93bca5f49a05a1bc5d89f0d7beb80e07ee6fff2fd4b5b3980fb014a2cf8e51
-
Filesize
12KB
MD511a71f77897727d9d9e12761847ba710
SHA1e8aee6c5203250a35c92bfff0b9a9a1864d6b0df
SHA256cecab6cda551c3f4f1afeeadf8a4cfc983423ec573a6c6d4feb6f86069982020
SHA512c49cf5921e4b877448d769b4e6d0a1034ac8d4231c5a3155260b20e1788cc59ad087158811fb3311ed0f3e256a0b5012b3c25f1644e5dee5fa5b9a33d95911c5
-
Filesize
1KB
MD5c69e2d9290d5ae2c25a8b7e3a2b92e5d
SHA1947fd462f6c38dd52cc71b24d3c9cac90dfdc4be
SHA256b79c577b06d516004768e6bd98cdbccd383d8c089dfeaba22406587166e3dd00
SHA512eea3984379af66753c9bd7b1e133b8b355d97115e93bc296d67bb5280189d317b60ac930f183e007a87bee53ed8e9a013af3056d3e08316d238c2f6b85e096e9