Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06/06/2024, 22:46
Static task
static1
Behavioral task
behavioral1
Sample
4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe
Resource
win10v2004-20240508-en
General
-
Target
4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe
-
Size
12KB
-
MD5
cc36e5481ade2f8aff59cc64e1712bb5
-
SHA1
248e59954c144e31e22b6127890a04710a134718
-
SHA256
4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43
-
SHA512
c9ee4281d1ea247fd53a3736f57a331abc894d6a9b2ef03464968a8c6950146a36dab3a87bfc32848bede3f7e81dc7bd4415c54cefdb506eb998a39f42536145
-
SSDEEP
384:hL7li/2zAq2DcEQvdQcJKLTp/NK9xaMi:BMMCQ9cMi
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2716 tmp1131.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2716 tmp1131.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 1612 4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1612 4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1708 1612 4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe 28 PID 1612 wrote to memory of 1708 1612 4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe 28 PID 1612 wrote to memory of 1708 1612 4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe 28 PID 1612 wrote to memory of 1708 1612 4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe 28 PID 1708 wrote to memory of 2656 1708 vbc.exe 30 PID 1708 wrote to memory of 2656 1708 vbc.exe 30 PID 1708 wrote to memory of 2656 1708 vbc.exe 30 PID 1708 wrote to memory of 2656 1708 vbc.exe 30 PID 1612 wrote to memory of 2716 1612 4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe 31 PID 1612 wrote to memory of 2716 1612 4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe 31 PID 1612 wrote to memory of 2716 1612 4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe 31 PID 1612 wrote to memory of 2716 1612 4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe"C:\Users\Admin\AppData\Local\Temp\4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\54yqlaai\54yqlaai.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1249.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F28A3BF3886438CB6FD7F406214ECB9.TMP"3⤵PID:2656
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1131.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1131.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d51e021667c66e987040423d1a323eaa
SHA12e593d3a95589c71193a6c13de3d04011599843c
SHA256a32014e2ee3b74090d370e29ff2a27285ca6e029120f1342d2103e7a58fe3eb4
SHA512da888478ac388593d6d5c0fa6af90f37383cd60409465d8caed3c5700847c9b740f1458f13b2d249b609628be4e74c299237f8b7c5bd474569f08805a07ba393
-
Filesize
273B
MD56c268f6bebe2afcd98979fc981a87e1f
SHA192b75d430815f26d427e3a1f47b8b455166a8f31
SHA25689bd2cd1d58f99e257244252c3ba01a6cfae29025aad4092a577badf9c8e01fd
SHA5123aff0051d773e2cdc23662ad43ff8f7c87d9daf399bab40821a997939c3ca2aa1d1d4af138330d816db95a65bd000c12b57d41ae2c95c35e6645136eb303eac2
-
Filesize
2KB
MD5f27d1542bb431d61eea6e879c70412e9
SHA17a5c90bdf70af80cba2045dc69b5cc3f1383342b
SHA256ab72fd8e748d7695ce30527b1b441d822453bf71b668ecc757814eaa6698d10d
SHA5127145f95853e96d588b8479344a4b2ce1546fa4b11647efdaf7c6d12a71d1b494425ec23e904db5eed25ff6055ec89107dd7eeab1406e0fd1c172c5c35d68a7a9
-
Filesize
1KB
MD5be3b76a91e5f97f4b6edc03bc4054c1d
SHA1657393e654ee0858e836bddc4f5fde0095e01f79
SHA2569c6a08e65378e505b69cd4404dbd4c7011576fe7c328317fc9b68562d0cc2085
SHA512125056a5faa61fa732c5094d919aeb57afa541dfd86b790ce00c6aab3f9413bb9cf2c1cd8947a693f6a072292252307ac95478c2d4277054dfc507cc17a74617
-
Filesize
12KB
MD54f3ffd6935c5b1b1d5900c840871856f
SHA183d708f28814d6207b27a0c0e7ab2c63eb7345eb
SHA25631c781ef4b45514a254488d47895c315b40cf380de5b25478aa5d69ecaff3e4c
SHA512e12fa99c4317a17f7a10f1f127fefc7b64736011df1b8421501cc200a27b516baf10ce747acb936af31171230e6189adfcb602355eb1cd09c46b8079fa07ff23
-
Filesize
1KB
MD5aefd287c0630750d141bd8836436182d
SHA1991156604154994dfdc95e7cfff34231b4e30e78
SHA2561477b5dd4b0b760ade1f9398e47a1d789ece91b57dead111451bf4892a5329c1
SHA51229682a61af0d61ce1bd2fe5340010c2fedb0d0a53cec7e107ff350608adf385a3593707411b6bf88d1c56d90508bc61d8405aaf29c68c8d674e36e10561a752c