Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 20:55
Static task
static1
Behavioral task
behavioral1
Sample
406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe
Resource
win10v2004-20240508-en
General
-
Target
406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe
-
Size
12KB
-
MD5
aa580da9da1f259dec6d73c7207ea2d3
-
SHA1
a1bc7cb3e92ff308f1bd5d300d60dcdc98f30a25
-
SHA256
406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c
-
SHA512
7d1790d250666c952000c0da37e4971e8d2ece91d8f79786f30dafe7214631a2c7a9587386139e5b0cdc84fcf44ea9ba3797f81d71696c290527f4842b924fbf
-
SSDEEP
384:9L7li/2zsTq2DcEQvdhcJKLTp/NK9xa1R:twM/Q9c1R
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2408 tmp2C7E.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2408 tmp2C7E.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 3028 406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3028 406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2944 3028 406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe 28 PID 3028 wrote to memory of 2944 3028 406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe 28 PID 3028 wrote to memory of 2944 3028 406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe 28 PID 3028 wrote to memory of 2944 3028 406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe 28 PID 2944 wrote to memory of 2636 2944 vbc.exe 30 PID 2944 wrote to memory of 2636 2944 vbc.exe 30 PID 2944 wrote to memory of 2636 2944 vbc.exe 30 PID 2944 wrote to memory of 2636 2944 vbc.exe 30 PID 3028 wrote to memory of 2408 3028 406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe 31 PID 3028 wrote to memory of 2408 3028 406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe 31 PID 3028 wrote to memory of 2408 3028 406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe 31 PID 3028 wrote to memory of 2408 3028 406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe"C:\Users\Admin\AppData\Local\Temp\406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m5ntbwkh\m5ntbwkh.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93957A53C0C9420FB650A5D87D14B70.TMP"3⤵PID:2636
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2C7E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2C7E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\406b80f654150141cc0eb7ebe4cff3af178d8ac52a5ef6594bb92cb2e877b94c.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ae366dc840608dc87ce5276129a7a937
SHA1fcbe5eab7c7bf3aa203902697ad45b7d20671c9d
SHA25644267fe97b4ad2190018f8cff90d21eedabf9eb8a2d1101f56c5d60781e02877
SHA51220d6d0beec03ff85d4fad8704ee27fa1f880c853edfc75c99a126bda6c0cde6e5cbb4c3bfa850c4194fbb0946be04617f5694547e4ea9a883649b00a5940b4df
-
Filesize
1KB
MD5cd227471e1d2fa9dde3b295de3fda24c
SHA16cf7c801bfac1456f45b2bae27f227f56418061c
SHA2569da50796d1fef8e8e7a296c9d6b3342253a551494136ec3cc2edc639f6f5d935
SHA5129fd8521154415a849fe29179ea56e42a3cadf939315fd0e4553445769671f507df6016beef25282d298b87c4d04bbd61831139c1f7e50cd37ad22568e05707f0
-
Filesize
2KB
MD5f687b4a2c6ff909be059bcb5c8479aaa
SHA194e2e52abd23b975d9aac8aa08e5ee2ddf455543
SHA256041cdf972e05bf4d0c382ddd9e1ecbf2ef16089a1799459d10547e738e73af98
SHA5120267e421c0e91cf1d27c30c4039a13906295fd4f335a4984eba1fd892e384819e74511c0adbcc30382ef1d11c162ae5fd867b9b6e3f7c2dea549c2c2459e882b
-
Filesize
273B
MD5692667aa5cc30bc8648699ec1c3644c4
SHA1adfab60aa5ffdf1fc40f83cba2f23a7a179369e8
SHA256af440c7ccc8c216a778b9d5803b7b874c86bbc107b303f2bfcb14c406d7f7c46
SHA5120e3d692823dd557db16a8471582ece00ed2955183e1862256828e7c0a163e0fd022d05432924af76c06bf8aaf2e807bb30a6bf5fa6df55e40ec0f7f2a96f43bb
-
Filesize
12KB
MD5f06c842349a5ac821c2c977b2c4f6c96
SHA12dae3c9358c869606433417288713de049f119c8
SHA256b82b756e942880a608243872b1d7a76941f2ec8e9709ef161a6d72a586bd282e
SHA5127ccb419151d0547bea124022c625c5adda469dd01b28044147f193c7d0283fa14029e3f4a94190a4a2225da28d68a7dc2a6767b0518d04e26e54883006d3e8b6
-
Filesize
1KB
MD592ce27c88f0f824b836fc9d08e2a1d0b
SHA12d3039de3095115b303f64889712d0a0884efb5d
SHA256b79ab0f2f030d79ded08f2b02e8ecdec97d0dcebbcf69007f4dbdfc995050fcd
SHA512efc0cc201646eafb7727e0abf6758a1bee9f041ad8f2ec905f5a2caa9bfe9f7a8b0251480a67284df4bbf48037b37c9139fa35549f60b1eb15cfbc67626680f7