Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 00:18
Static task
static1
Behavioral task
behavioral1
Sample
98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe
Resource
win10v2004-20240508-en
General
-
Target
98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe
-
Size
234KB
-
MD5
1f88f1bce5e1d74b30f89808880fb4d6
-
SHA1
40bd02e6f8b5b82576ea652552c85f32aaeedd7a
-
SHA256
98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c
-
SHA512
524abb3523c4f8f16d1156d415404ead694a551ec82d12105145e0542a94cea6741a9e4b47a56bb41f5710692ae81682e2192e7890b6b0f40c584b572c90c56c
-
SSDEEP
6144:/eIcZPAjQN79B8aDT2SCguONhWV9NgHd6Z:/erZPAm74g/dNhQG
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2432 diskhost.exe 1620 ~3820.tmp 2700 bthueout.exe -
Loads dropped DLL 3 IoCs
pid Process 2368 98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe 2368 98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe 2432 diskhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\bthueout = "C:\\Users\\Admin\\AppData\\Roaming\\ctfmcont\\diskhost.exe" 98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\bthueout.exe 98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2432 diskhost.exe 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE 1180 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2432 diskhost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2432 2368 98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe 28 PID 2368 wrote to memory of 2432 2368 98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe 28 PID 2368 wrote to memory of 2432 2368 98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe 28 PID 2368 wrote to memory of 2432 2368 98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe 28 PID 2432 wrote to memory of 1620 2432 diskhost.exe 29 PID 2432 wrote to memory of 1620 2432 diskhost.exe 29 PID 2432 wrote to memory of 1620 2432 diskhost.exe 29 PID 2432 wrote to memory of 1620 2432 diskhost.exe 29 PID 1620 wrote to memory of 1180 1620 ~3820.tmp 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe"C:\Users\Admin\AppData\Local\Temp\98aff4f56a9dc4336459d1ab6d25a8e6948de10f6e117d820cffc3ae1764652c.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Roaming\ctfmcont\diskhost.exe"C:\Users\Admin\AppData\Roaming\ctfmcont"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\~3820.tmp1180 239624 2432 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620
-
-
-
-
C:\Windows\SysWOW64\bthueout.exeC:\Windows\SysWOW64\bthueout.exe -s1⤵
- Executes dropped EXE
PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD586dc243576cf5c7445451af37631eea9
SHA199a81c47c4c02f32c0ab456bfa23c306c7a09bf9
SHA25625d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a
SHA512c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4
-
Filesize
234KB
MD5cb8129977551f52c2fdb687ae94d11a5
SHA1c5de3667141d9cacbd50dc6baff2e4fc13e37479
SHA25687fa4967ba333092fb416664407546baa5a551b3bab992f43c4284002df2f210
SHA5128000153716f7ceddb70ee177c5431914cba0835f67fe60761304086be569deec3979ca5221c60cca16d733e380218ae7023d0c1cc86eaf6bedbd8baa62882d50