Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 19:38
Static task
static1
Behavioral task
behavioral1
Sample
1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
Resource
win10v2004-20240508-en
General
-
Target
1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
-
Size
12KB
-
MD5
c078a412683a55a2fabfe7351daf5aef
-
SHA1
d5b864368e318aab0740e41384c82e37b5fc398c
-
SHA256
1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44
-
SHA512
7a0e29f72dab53f626a9feec6dc1474dc2225dde59d3c41fcd55ce9f07804ee0e18fc6cf366c54639a337fde78ed24aadf84fb5f780a70ef3bc81d5f1a09f664
-
SSDEEP
384:eL7li/2zbq2DcEQvdQcJKLTp/NK9xahW:IfMCQ9chW
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2900 tmp2B65.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2900 tmp2B65.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 3056 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3056 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2420 3056 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 28 PID 3056 wrote to memory of 2420 3056 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 28 PID 3056 wrote to memory of 2420 3056 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 28 PID 3056 wrote to memory of 2420 3056 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 28 PID 2420 wrote to memory of 2292 2420 vbc.exe 30 PID 2420 wrote to memory of 2292 2420 vbc.exe 30 PID 2420 wrote to memory of 2292 2420 vbc.exe 30 PID 2420 wrote to memory of 2292 2420 vbc.exe 30 PID 3056 wrote to memory of 2900 3056 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 31 PID 3056 wrote to memory of 2900 3056 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 31 PID 3056 wrote to memory of 2900 3056 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 31 PID 3056 wrote to memory of 2900 3056 1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe"C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\430quyqr\430quyqr.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E2CD95D590940589D90E1494668B7CB.TMP"3⤵PID:2292
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2B65.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2B65.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5dc33e80a3a777c6747787ae44bf67456
SHA1921489cfe33408b6ea09284765f9c161eb321541
SHA25693a9d5527b695a7a3b13c5fac9a17beddce08907f41b3c5cb9d0517351c5658b
SHA5121bdd72c5f229df503239b67ca61a393eabaf674eeb5601fb5a7dc0e38c28cac47ae1f66b809f8fbec955b17ef684bec974919e2605b1258ed92e67ed79d8c101
-
Filesize
273B
MD59b081dfb7b0133bfdad604e47b29d1b7
SHA165a73c00e3e2b3b42eef69025b73d175b52e1410
SHA256fbb36d35e0a9f882a91d59d04cf634c5cbfe0c72a6484124d8eefc199003173a
SHA512a7c763849d4d30e6af41a31661f28e94d9d12455e43c1fae690a875793c526c2b3b9902090cbab0d08caea577ae28a613eca6cb87e6adbe2c42b723bd1023293
-
Filesize
2KB
MD571b7df11cb5d2142da017bd1c19f1910
SHA19f19afb7ddace40f88abdd6caba3c962cd55ace0
SHA256533a7a2285c070e7f0d6b6231fa828140ef0659205ec287dd8300eb3cfcc06f7
SHA512cde7bdc76393b8a0a0579268a661ea465f1f9e748a5535dbaa11d52fccc798c30e346021f26878b6102d56d0f4f4034c3ae2ff490b3df9bf70b7dd9c2e4658a2
-
Filesize
1KB
MD5a0cabdcf77cd58c4ffad1026aa3f9f02
SHA1d9dcdad95474aec9c26466ba1af88d38cf4169ad
SHA2566767f59736618ea5f3390fe1980c28402c980bcfd786fcbf92dd5070c1c2ca83
SHA5129f7e01c73788513a660989147d5b71bea1959fe0181d1fc7df56bde84ed3cb2e64687433120a83f713c5640b70152852152f15f5abae2e0bd3bccc2a58f60573
-
Filesize
12KB
MD507492a8473f77f6fabe999c2dd1d8f81
SHA151070c54c31136f127c4d970b1b953e736289883
SHA2564eef693ae6102ad6972fe708272f5000cfd98ae16faabf3573fd749e452943c6
SHA5126c9d3992b2da1876b1ce64205db69a875a59bbcaa6702292cc2c5682331f7dec94791615997267d56afd4cb77c18d8a6de980f5e3ecc84459bb3c8fe4471cbf1
-
Filesize
1KB
MD5cffd5634b7ec9fc53c76c84412afeb74
SHA18153fc498ad82b18ffa161fbbec63c808521d168
SHA256a0deb12af8f638765ed11958e9e43270e94326da80841c33871bae1b24804dfc
SHA51229bfebed17bcb2b8eb8f0bf5f85792351afc82aae7bee4c15d80f2c35961792a2c3d0b981811854fcc33e01151972a0e733b0649638ce39957b186e4aea1ee08