Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

10bf38821b...e1.exe

windows7-x64

7

10bf38821b...e1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    19/05/2024, 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe

  • Size

    12KB

  • MD5

    3dca6c626c9363766d4bd4108b0f46f6

  • SHA1

    6e3caa5776ba1bedbb33e469d59d0f425e051897

  • SHA256

    10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1

  • SHA512

    b7665e0ebb72f4654ad14b5a53b81454e485f2ce33df64e93eb7c4aec513d7d2110d75f54e0dcfe7bf009bdf5020b465f63410eb3ab83e9d3916ab05f8b60192

  • SSDEEP

    384:mL7li/2z4q2DcEQvdhcJKLTp/NK9xa1C:AkM/Q9c1C

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe
    "C:\Users\Admin\AppData\Local\Temp\10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tyvvuq12\tyvvuq12.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES120A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3259F0C67784FA5A610BE2D6D465BBE.TMP"
        3⤵
          PID:1992
      • C:\Users\Admin\AppData\Local\Temp\tmp10E3.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp10E3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      6a6e9ff237efd75dcbe6df94e46d9007

      SHA1

      9c78df78fcac55555bdd156970b180bd90579fad

      SHA256

      a14d7807edb416715ab1663db5a49d29a284ab13e6b7d2bbbbb539bb3acb82a9

      SHA512

      0633659f120e68a3407026076820a56a376f65a0d9f7141c294f49b29b5a558382fbd16f571433e5bfe8956ae567a28833d94b1a5c6f385060f905eba14e82af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES120A.tmp
      Filesize

      1KB

      MD5

      88bb8f4f378e678d8913d04b5e2573d2

      SHA1

      11e6640c5bcc561197919448c7e4a19ca848a3dc

      SHA256

      7b3b1e6f91891cbea26d0b7b81e589536ba0f652d8e6c3a825fdd19c6f2d981c

      SHA512

      b006de152a81554e6cac76ceabcd0baac7cd07ec61837a52543e33f9dfd5fe8767ad21ec0c27eaef3837ac39cc333de9200c75d03f85fc74b3541b1a3b3db71d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp10E3.tmp.exe
      Filesize

      12KB

      MD5

      b6712ea52cde9e4b999491b780fdf464

      SHA1

      99fee12ccbe5f5357785c173cbb3f384f2fc5036

      SHA256

      47f6013c30e2b6785b8d888be868a776e91102ca389bf9fe1397cd75e5708434

      SHA512

      9a851f3d410901b7cec2adb29a6ad639b622e772c11987ddfe09d5d9816ff62b54df13345818c6faeba31854f66963179a33f18689d874e2876501df0ea68841

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tyvvuq12\tyvvuq12.0.vb
      Filesize

      2KB

      MD5

      8662f2f1bf1f8ab81b352f5e41beac41

      SHA1

      7129f64ce53401bf19301478b9681351989cee1b

      SHA256

      383ed7fa1fcc2d0897f22cdf4d68b40b4e1cc3d9d7175087af88b6e8eb4bd014

      SHA512

      4955a199847f263a134cdb927e28bb16f414fdc5c12f04fc16f87ab18ebbe39e7e138142c9dec96dd0165247f20cfcd0b98586dcd18b2838521d553c9a1d238b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tyvvuq12\tyvvuq12.cmdline
      Filesize

      273B

      MD5

      8e5896abc31a554be470d9d90887db31

      SHA1

      d7dd3fce6f965e12a0ce3da9950e7460c2c68672

      SHA256

      b84e180bc7fa8c126e34369a043caa2dd32e630381b7f86dcbca6fe0797bc0b0

      SHA512

      4fab2bf6b7a4eb6e900dabc5c4c1b9c95310c36a422544f6fd5a5dcfe1ecf5a1bcc227fb06497238407f621d0f97bc9339c29f5d5df174ccf651304d8624709f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcF3259F0C67784FA5A610BE2D6D465BBE.TMP
      Filesize

      1KB

      MD5

      eb043ea5d7a1eeefe3135a11767f0005

      SHA1

      6163ceb66ec5adc1150fcffce548744f099414b0

      SHA256

      9eaba20da1fee9dbc86df43d8b3b35784c4b55dc5535eb6b109ba9dcb70fa1d2

      SHA512

      4c8f12cd59b16e692fe2bffed5feb2d9a076c1565f11467605ba99ab266ecc0bf28e614840c1dd66e52f37c0f9865488809a23a80ab9125603ca79f7841f8fff

      Download Submit

    • memory/1756-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1756-1-0x00000000008D0000-0x00000000008DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1756-7-0x00000000746D0000-0x0000000074DBE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1756-24-0x00000000746D0000-0x0000000074DBE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2884-23-0x0000000000A70000-0x0000000000A7A000-memory.dmp

      Filesize

      40KB

      Download