Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

2f5f773b2d...e9.exe

windows7-x64

7

2f5f773b2d...e9.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe

  • Size

    12KB

  • MD5

    d5156d6021e93fdefbbf8bb3d1efe6ab

  • SHA1

    81870cec5a4bbaf1d6e082ab3e299aa3cfdd1c21

  • SHA256

    2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9

  • SHA512

    e15383135836e00b07bd3095e4fe534e3492026632f6a830b7c0950d00362a49ac81c1558558e6a8e70da89aaefd0c5bee21dd919b3d7ffe1ac5b60f7a787f16

  • SSDEEP

    384:JL7li/2zkq2DcEQvdhcJKLTp/NK9xa6a:5QM/Q9c6a

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe
    "C:\Users\Admin\AppData\Local\Temp\2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jlihmie2\jlihmie2.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9109.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc75FF58A49BB84CFE8D82BE78A075864D.TMP"
        3⤵
          PID:2628
      • C:\Users\Admin\AppData\Local\Temp\tmp8DA0.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp8DA0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2504

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      d21c121facc126516412013b781c4b2f

      SHA1

      c23d39999e99f7aa7c3900dec025efb06ef190ce

      SHA256

      a1d8be46489514daa17e5496135b73a598c0b4185b9c7be01f9134f8f8df70d7

      SHA512

      404d0bee1a1ea4f133b36b34d949e5a3c2bb8095b654ced9c732c7a52232618ce8cf39f260529cf902e2cd3a6edb12d6129870fe7b429167233584d08181b3a5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES9109.tmp
      Filesize

      1KB

      MD5

      03d81a90462a0de78c5871d66e481dff

      SHA1

      e0641e9071de9134c9318b5e34d33d9fcf16d444

      SHA256

      300d20567b17c7f6453ecc221ed63940567085e5b59c4e76809852a7a0f4a1af

      SHA512

      28f356dc4f193a367fdc3b1552e8c81cb5607e479b6a58baf5644f523cc7bd1e36ea6f8d49a320f71af738dc69924751d80cbdefecf9e47721b550915393f3fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jlihmie2\jlihmie2.0.vb
      Filesize

      2KB

      MD5

      ff72015744782d51b68c7cd03822177e

      SHA1

      1924faf6f2306fa532a9585934c4c1ec46d68b5f

      SHA256

      d38e5a46a3668ae32636c749c65830aec6f4fc5d2eb390d0823454b5c4c4a7c5

      SHA512

      23a5efa79c0837a91b7e5fd7ef64e63e5b00569ec3338e1907702bab8703c2241960d4d19e06749f9ac2ddcc5985b1c57f36eea18cdfee3eb1eece6b495869d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jlihmie2\jlihmie2.cmdline
      Filesize

      273B

      MD5

      44e4480f4ff9fda80caad8d265adfe19

      SHA1

      d5db9ad05edbb0dd2f9e378e2d3f9be6db7e960a

      SHA256

      f55aeb98c9a3922da42bfb4d942c85b92c728620e5514551aba8e39f08c5f8e5

      SHA512

      a37a94165de5d8b9eeb1eebf221e24c462b9a9175695ef662eed35261760baa1b20f10bd6eb87547a682aa80493220170be82b78db4bfd8df98d774390368431

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp8DA0.tmp.exe
      Filesize

      12KB

      MD5

      c745e18fba133914508988047ff19ce4

      SHA1

      6e4f4e7e235b5d9f32ef71dbdac3a1b3fac5842b

      SHA256

      99a8f6ea833353c4ee3fb11b6ec68a40d724636493a06bcca23b9e77ec0caae9

      SHA512

      7e3b8b65c56196a6b60927f5ddfac055ffa4fd7559bee28ee31150f80054776bb3108f133c39c7a20d018ba7e154f01568413f4217c49669a8da767c66080bf1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbc75FF58A49BB84CFE8D82BE78A075864D.TMP
      Filesize

      1KB

      MD5

      84f42434ddc5e8beef25bf094593a566

      SHA1

      08abfd407496a85143ce8a7dd608e38eb73b4dd8

      SHA256

      947a9f71bc7f32733dade3d7bb239e398d09a09c7383d5dd5dc72c792fb0d5e4

      SHA512

      15bafa23d02682ba82a58e47a8134a5ff99708758d17a8217a8894464a7252a5136f146d2ab1b1db26c4176f87755a90bc96e2120e7908ca63dd8bc35d577ffe

      Download Submit

    • memory/1368-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1368-1-0x0000000000080000-0x000000000008A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1368-7-0x0000000074A40000-0x000000007512E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1368-24-0x0000000074A40000-0x000000007512E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2504-23-0x0000000000D40000-0x0000000000D4A000-memory.dmp

      Filesize

      40KB

      Download