Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

e8a5b2b11d...3f.exe

windows7-x64

7

e8a5b2b11d...3f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 03:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe

  • Size

    12KB

  • MD5

    7f3b36803cad4ef33701fa937a792eb9

  • SHA1

    e7eaa8dd6b6abbdd2f0e1a6979a62e37dd0b9063

  • SHA256

    e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f

  • SHA512

    7e0aee2b2e17bc9d8b40515a4e1ed4713806f192fc5508304294de937584dd99e9b605e3363ab45b881ddab6aab8eab0c234f05788f4cd8cc30cfd542d06e26a

  • SSDEEP

    384:XL7li/2zseq2DcEQvdhcJKLTp/NK9xavw:blM/Q9cvw

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe
    "C:\Users\Admin\AppData\Local\Temp\e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kdyjte2u\kdyjte2u.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE51D299FADED462A8BD3A1311729BCF2.TMP"
        3⤵
          PID:2484
      • C:\Users\Admin\AppData\Local\Temp\tmp9992.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp9992.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources
      Filesize

      2KB

      MD5

      9a29a8fed9d25190f568adf99035d363

      SHA1

      75ca49ca3a336eb8b136f4daaaf6d49f7d30afdf

      SHA256

      91b93c3cc7dd834647db34d79f4d5b27edbadaefab11518abeec2251d2aec49c

      SHA512

      7ce03311cd3e1bcb360072c4160df5554dcd9523e5adcb7e2faf2be52eb0b33d0e703525d3ea5c21b161848bf472225407f13efab13a6c4a64648aaf752ee57b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES9DD5.tmp
      Filesize

      1KB

      MD5

      21cc886ed0ea6686cbfb90e51bc98d9a

      SHA1

      94ed39434a5d7dac60c7752c47cdd9ed787c500f

      SHA256

      cfa72d8687ae6f3f7f65a92c21053f90e7b734fc214d0a54d58fd690b44262cd

      SHA512

      c9f95af76da1a3716c47d65879d30aeae87f03a54a40506840d19b8e151cafd39bebe828eab0ee35ef94d0311d3e73655382a97e20b500eb3579374f247ae941

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kdyjte2u\kdyjte2u.0.vb
      Filesize

      2KB

      MD5

      a689b2f458f5c62440090d182b3e529f

      SHA1

      d576219b816d8555e202ebaca082acb077340531

      SHA256

      1188c8c7115e6cd0e05b3164be0861cbcc19cae4e67a0b4988516d6ea195114f

      SHA512

      7bbc69c49590a04114b096e2b969fcff0a7bb2987c06ed348bd50b815fb122261f233efa78312cb51d4cf4ac69d1ff55d0c8bb334ebfa8f9635146fdd3fe9254

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kdyjte2u\kdyjte2u.cmdline
      Filesize

      273B

      MD5

      0d94c2458b568b4452898951b593cc1a

      SHA1

      b76694e0a57ab08d0f2c862c20c53a6fa65bb6c7

      SHA256

      c235c07fbc44e7aa941aab464873fef03f11ff8c18a172d2983889867b2543f0

      SHA512

      22385ca803ddd2e12f79e3da55c0dc81eebb08f64587cffbe2b54485246e49edf3cb2c93c110187502876af84567286240fcfbf54182f0fcfe0e2f1bb8f969b8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vbcE51D299FADED462A8BD3A1311729BCF2.TMP
      Filesize

      1KB

      MD5

      958b3f654037d234bd639cd75206c4cc

      SHA1

      c42c065e946076d20af4d4de525715d1ff689120

      SHA256

      c8812b1e0c68196c8007ede483879f32cc3865876952b4e7e376d43ff78471f0

      SHA512

      ea4f227189aeed6030fa707f6c223ea91253ac523214755cc5ae6c18b8b2aa009489efc11ec8ac6716d7f6cd1c7817381bdbecf91e9048641224d66c4696dbf6

      Download Submit

    • \Users\Admin\AppData\Local\Temp\tmp9992.tmp.exe
      Filesize

      12KB

      MD5

      7bd4bb3c0c78ecc61546077e8b3cc6f0

      SHA1

      d2e8468e5c74085b1c68e1a373159fd3f3f2da8d

      SHA256

      c835f161402699a303ef0fe8e5c4aa3fff96ddd7ee9d332a7acbf85c45a50409

      SHA512

      76a25017d163b29e7feebb9e6a9af2733c81082df0219ace18258e9b145b943541419f528255ae354a82bcb6dea106195ad1ac4a550fe6fedf96c08590261c5a

      Download Submit

    • memory/2500-23-0x00000000002F0000-0x00000000002FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2684-0-0x000000007433E000-0x000000007433F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2684-1-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2684-7-0x0000000074330000-0x0000000074A1E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2684-24-0x0000000074330000-0x0000000074A1E000-memory.dmp

      Filesize

      6.9MB

      Download