Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

406b80f654...4c.exe

windows7-x64

7

406b80f654...4c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    14/05/2024, 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe

  • Size

    12KB

  • MD5

    aa580da9da1f259dec6d73c7207ea2d3

  • SHA1

    a1bc7cb3e92ff308f1bd5d300d60dcdc98f30a25

  • SHA256

    406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c

  • SHA512

    7d1790d250666c952000c0da37e4971e8d2ece91d8f79786f30dafe7214631a2c7a9587386139e5b0cdc84fcf44ea9ba3797f81d71696c290527f4842b924fbf

  • SSDEEP

    384:9L7li/2zsTq2DcEQvdhcJKLTp/NK9xa1R:twM/Q9c1R

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe
    "C:\Users\Admin\AppData\Local\Temp\406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m5ntbwkh\m5ntbwkh.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93957A53C0C9420FB650A5D87D14B70.TMP"
        3⤵
          PID:2636
      • C:\Users\Admin\AppData\Local\Temp\tmp2C7E.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp2C7E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      ae366dc840608dc87ce5276129a7a937

      SHA1

      fcbe5eab7c7bf3aa203902697ad45b7d20671c9d

      SHA256

      44267fe97b4ad2190018f8cff90d21eedabf9eb8a2d1101f56c5d60781e02877

      SHA512

      20d6d0beec03ff85d4fad8704ee27fa1f880c853edfc75c99a126bda6c0cde6e5cbb4c3bfa850c4194fbb0946be04617f5694547e4ea9a883649b00a5940b4df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES2D86.tmp
      Filesize

      1KB

      MD5

      cd227471e1d2fa9dde3b295de3fda24c

      SHA1

      6cf7c801bfac1456f45b2bae27f227f56418061c

      SHA256

      9da50796d1fef8e8e7a296c9d6b3342253a551494136ec3cc2edc639f6f5d935

      SHA512

      9fd8521154415a849fe29179ea56e42a3cadf939315fd0e4553445769671f507df6016beef25282d298b87c4d04bbd61831139c1f7e50cd37ad22568e05707f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\m5ntbwkh\m5ntbwkh.0.vb
      Filesize

      2KB

      MD5

      f687b4a2c6ff909be059bcb5c8479aaa

      SHA1

      94e2e52abd23b975d9aac8aa08e5ee2ddf455543

      SHA256

      041cdf972e05bf4d0c382ddd9e1ecbf2ef16089a1799459d10547e738e73af98

      SHA512

      0267e421c0e91cf1d27c30c4039a13906295fd4f335a4984eba1fd892e384819e74511c0adbcc30382ef1d11c162ae5fd867b9b6e3f7c2dea549c2c2459e882b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\m5ntbwkh\m5ntbwkh.cmdline
      Filesize

      273B

      MD5

      692667aa5cc30bc8648699ec1c3644c4

      SHA1

      adfab60aa5ffdf1fc40f83cba2f23a7a179369e8

      SHA256

      af440c7ccc8c216a778b9d5803b7b874c86bbc107b303f2bfcb14c406d7f7c46

      SHA512

      0e3d692823dd557db16a8471582ece00ed2955183e1862256828e7c0a163e0fd022d05432924af76c06bf8aaf2e807bb30a6bf5fa6df55e40ec0f7f2a96f43bb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp2C7E.tmp.exe
      Filesize

      12KB

      MD5

      f06c842349a5ac821c2c977b2c4f6c96

      SHA1

      2dae3c9358c869606433417288713de049f119c8

      SHA256

      b82b756e942880a608243872b1d7a76941f2ec8e9709ef161a6d72a586bd282e

      SHA512

      7ccb419151d0547bea124022c625c5adda469dd01b28044147f193c7d0283fa14029e3f4a94190a4a2225da28d68a7dc2a6767b0518d04e26e54883006d3e8b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc93957A53C0C9420FB650A5D87D14B70.TMP
      Filesize

      1KB

      MD5

      92ce27c88f0f824b836fc9d08e2a1d0b

      SHA1

      2d3039de3095115b303f64889712d0a0884efb5d

      SHA256

      b79ab0f2f030d79ded08f2b02e8ecdec97d0dcebbcf69007f4dbdfc995050fcd

      SHA512

      efc0cc201646eafb7727e0abf6758a1bee9f041ad8f2ec905f5a2caa9bfe9f7a8b0251480a67284df4bbf48037b37c9139fa35549f60b1eb15cfbc67626680f7

      Download Submit

    • memory/2408-23-0x00000000010C0000-0x00000000010CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3028-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3028-1-0x00000000012A0000-0x00000000012AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3028-7-0x00000000744C0000-0x0000000074BAE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3028-24-0x00000000744C0000-0x0000000074BAE000-memory.dmp

      Filesize

      6.9MB

      Download