Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 02:32
Static task
static1
Behavioral task
behavioral1
Sample
c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
Resource
win10v2004-20240508-en
General
-
Target
c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
-
Size
12KB
-
MD5
b912a402c5c743b4fa0db4c9beded7a5
-
SHA1
c64ae82aed37a3506450db09b5e4a5205fc009a2
-
SHA256
c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad
-
SHA512
dc973419fd632d9b7e497894c51edef6fb3439dba8cbbc9e702cf4fc057d4702075ba79a0ea69706d0b2373fb7249154d8b92577e4386c1f024134a6fe98ab72
-
SSDEEP
384:LL7li/2zZq2DcEQvdhcJKLTp/NK9xaSs:fxM/Q9cSs
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2588 tmp1C48.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2588 tmp1C48.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2096 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2096 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2280 2096 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 28 PID 2096 wrote to memory of 2280 2096 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 28 PID 2096 wrote to memory of 2280 2096 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 28 PID 2096 wrote to memory of 2280 2096 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 28 PID 2280 wrote to memory of 2544 2280 vbc.exe 30 PID 2280 wrote to memory of 2544 2280 vbc.exe 30 PID 2280 wrote to memory of 2544 2280 vbc.exe 30 PID 2280 wrote to memory of 2544 2280 vbc.exe 30 PID 2096 wrote to memory of 2588 2096 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 31 PID 2096 wrote to memory of 2588 2096 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 31 PID 2096 wrote to memory of 2588 2096 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 31 PID 2096 wrote to memory of 2588 2096 c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe"C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3vbxqa1k\3vbxqa1k.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD415BD661E494725941B1795BF50344C.TMP"3⤵PID:2544
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1C48.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5823ef7aaae1ac87312a7dc9c5c70cbab
SHA1e90ff193964e4448783f77292c89e681bd27b5a4
SHA2563729679b8858f9c8b454bd768317bda2f1678bd3d8796a36fafa8c95efd50d17
SHA512b6bcb9281cadd9f2ed5c45b59eb4a111b444ef7f5d21d6312465682dea67851f29b36b98dd2169c70ad77d1a76df8f038d321225cbe407e64f724a50bd754972
-
Filesize
273B
MD51bebe10a95605c65a942114490bac7a6
SHA1e71ced4e67e1a92b5db1192a8461272872210d9f
SHA2563a9db637655414a0a37087cf7cf92a699a0daaaada2f589b0ce9abda890df25c
SHA5123059dec079edadb3ed9d39d4b04358693313f093969c0a27e99504ca5af051eca3573049dfd2033125446c5043f41a02b6cf48e99e15d066b4255c2ade4801be
-
Filesize
2KB
MD515210095f5e51b3906c35a952adf4f34
SHA1db24a64ca980bacaf27ac433a6ca10158517c687
SHA2564f9b289383403695bf11ceb1eb524332372abac476d9ada4424177e27a93ab05
SHA51231a92760e1d70800d79f802e52076218a01ee5bdb7c1093a687005ec451d08b9b3485f92c53344a89acbcf84d3b5b7030350845140e9c418d18b934befdf8166
-
Filesize
1KB
MD58bde2fd0ec2a3b44802424a192c6efce
SHA167040aea9a4daa5e35a6e65c6f5b03fa8799200d
SHA256572544fe60b9d5d057d981a09cf9271b9a1dd9bcc78f65018fcc924c1e2eb417
SHA5128034777c155010659ac4b243a8f08e8fff9ca7498cf0a65630f7edc908b0a8fdf93cc566c9532929c3eb75ba7443144b5fc9ce61077f296b00cdd9f1c6204d98
-
Filesize
12KB
MD57b30e2ed8144f22f06f69f7d18039155
SHA10ba238df586aec6764d9b08092e3b8bd7779b5ac
SHA256fafa00c151fba6d937a882c10ae935803d05e7c08cad920795999431042d778b
SHA512934826c25866e7006571ee3a95d3f125babca6c38e2668abcab50e8623bb4e1ae0c407d3ad96671778f5136bedc98a1f86ab6f1e697f69d8509c0b28f609cb2d
-
Filesize
1KB
MD54cfadaece817be7c0aeefc0838945933
SHA1da13ae7eb3708bb67b6b5929f677a6fdfa3556b8
SHA256cccbaaf9b86b67450f421418621afe4acb8e10a26f42c73fb418bd0419926da0
SHA512884e412d8d2d9a6811706abfd84a9e6c01e4e15abb0fc9c4ef4a35564c85cbf24db647bd91e630504a93cb45735adeb83ce83423f879f0ef427fa092668d6408