Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f0f0f63286...f3.exe

windows7-x64

7

f0f0f63286...f3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    14/05/2024, 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0f0f63286d3c8e561b9775bae9db40ec615c43593636fd35edf816fd0aa63f3.exe

  • Size

    12KB

  • MD5

    09ddab34fd208c821b6f150d89fc9b0a

  • SHA1

    9cdc8f19a8e08a4cedf541aaafdd7cf7b116f470

  • SHA256

    f0f0f63286d3c8e561b9775bae9db40ec615c43593636fd35edf816fd0aa63f3

  • SHA512

    46cc22c54a06e7a445221911e64dc2cb0a55ec21187a9a532c68e598fa2d4e9ed67cf95904afbc4fe96767c74abc7322d75bdca1351d9d2a1e855a586536f570

  • SSDEEP

    384:IL7li/2zGq2DcEQvdQcJKLTp/NK9xaIT:2+MCQ9cIT

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0f0f63286d3c8e561b9775bae9db40ec615c43593636fd35edf816fd0aa63f3.exe
    "C:\Users\Admin\AppData\Local\Temp\f0f0f63286d3c8e561b9775bae9db40ec615c43593636fd35edf816fd0aa63f3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yfi5ittk\yfi5ittk.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES142C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69A5C3A1F3AF4E099D498B288BB75C1F.TMP"
        3⤵
          PID:2612
      • C:\Users\Admin\AppData\Local\Temp\tmp12D6.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp12D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f0f0f63286d3c8e561b9775bae9db40ec615c43593636fd35edf816fd0aa63f3.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2616

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      354c1b2aae0400b406e7d69d49e84aa8

      SHA1

      b476c3dd22a25ace91f50050ab6eea86d986dbcb

      SHA256

      dc6b7b3476d4f9fc8228d33748cfbf8a8e49d3e5adb4d2033744fcbbc4949b30

      SHA512

      d2150c7d53c172840fb3def47173d88e703d7eb7591646a637d06fc2ae4815bd594a16f8f11907ce44f38ed0fc46d09d4cebe6f74d5065c3e4b42c021132e303

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES142C.tmp
      Filesize

      1KB

      MD5

      4d65692f5a4817ec2a99bccea2145e74

      SHA1

      9a6eecded6708b754edb1e75978588084e53dff8

      SHA256

      debdbddba1581ba7916133056964b14b1327e57b268ed2731126acb94ab5adc1

      SHA512

      0d33d8ec2412f64048271a1cf4fc02a926cb805aff5245c2518d5da32d128736ef47f621f0a90318fae0773ff4ab4fb935f8e09451b5d0329414398e73a2a07a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp12D6.tmp.exe
      Filesize

      12KB

      MD5

      5f5d0d3793608f191cf26a79453e5256

      SHA1

      bc6886c7c234d4014ef100289e131124e3089313

      SHA256

      3766bafd484d4bd2ee1e19b0822b7a2729d4871b36714ef4fe504836a87b138d

      SHA512

      b7e1fca70e2a71841b5e24c7e7fac2acfc5c34091519067647ce2aa59ef5839a882ab09f04e12850bd7b4be885778a18eec40f359cae78656cf2f1d24f4096aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc69A5C3A1F3AF4E099D498B288BB75C1F.TMP
      Filesize

      1KB

      MD5

      5d1201e6cff0618a1d0f8c058e989ded

      SHA1

      6035b1fd6290e9474a537137bb6f05cb89dd3d93

      SHA256

      bddea16259b74f44b8e3f3b57d388d0d0e9a2ecfebd7904e8d59ec61c1c11111

      SHA512

      ff98519867db59360e8fbcf5b50b774600d718750500c0342575f5993a8a8c04fa6843ae5ba427bd4797c5d9d213242e4d6fd743ec127ba79b8ca6f8d702cae1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\yfi5ittk\yfi5ittk.0.vb
      Filesize

      2KB

      MD5

      6448da591b353a05cc25fbb1c2c77a43

      SHA1

      1d829e38205db4ab64cf69cefbf0e195559cf2fc

      SHA256

      8d86ba09a45dfe9ab751e62c5dbc4451a738d925d86c16d672b19628cf9a42d6

      SHA512

      b339e0e7634b3d5e8f942d65b6b73c9eb8817993f00b641bcd777309649e37d92f297a27054561af5c40c9f8987733a108e2f0496f18068443d7da64b1d2f7a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\yfi5ittk\yfi5ittk.cmdline
      Filesize

      273B

      MD5

      a12ae68ae34d86f57359aace7dbf1222

      SHA1

      1f704269e361f3ed5fd45d193a30597990de9967

      SHA256

      f8770b3c65ecf4b7f09fbfb06e42527e1e8ec121575cd2f29a8d15b55a1f6085

      SHA512

      de0ba05acdd568b586a6fc752126523a5932fa5062cdeb60c9e66bf23e7851f1f066dfd5967db646f8c518f959750eccb1a82ba994455fa4fc7f744aab6b7e85

      Download Submit

    • memory/2388-0-0x000000007491E000-0x000000007491F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-1-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2388-7-0x0000000074910000-0x0000000074FFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2388-24-0x0000000074910000-0x0000000074FFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2616-23-0x0000000000B70000-0x0000000000B7A000-memory.dmp

      Filesize

      40KB

      Download