Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
07/06/2024, 03:14
Static task
static1
Behavioral task
behavioral1
Sample
fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe
Resource
win10v2004-20240508-en
General
-
Target
fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe
-
Size
633KB
-
MD5
a04b2a0df1ed1d4d23b5f511b05db42c
-
SHA1
3564d3ebe7861d9d6be4be7945577669548832f5
-
SHA256
fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509
-
SHA512
7d5b5bc9e59473b010c4e86d7439a50ddc2688e30c5005c09f42e4d2825e373a6e565824f1cb94b98b1106a78746fe9ade57485c77aa890296f84528553eaeee
-
SSDEEP
12288:5gWUQKFHJW2PnAbDKZXVrsa238hsSGL1b+AiqYNC+gwoFuJ5QPPbwHo:1Kxw2IXWFrsaJhsSGLJ+pNf9osQPb
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3040 powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3040 powershell.exe 2448 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3040 set thread context of 2448 3040 powershell.exe 32 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Kakerlaks185\Elmes.Und fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\resoprejsnings.lnk fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe File opened for modification C:\Windows\resoprejsnings.lnk fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3040 powershell.exe 3040 powershell.exe 3040 powershell.exe 3040 powershell.exe 3040 powershell.exe 3040 powershell.exe 3040 powershell.exe 3040 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3040 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2272 wrote to memory of 3040 2272 fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe 28 PID 2272 wrote to memory of 3040 2272 fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe 28 PID 2272 wrote to memory of 3040 2272 fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe 28 PID 2272 wrote to memory of 3040 2272 fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe 28 PID 3040 wrote to memory of 2988 3040 powershell.exe 30 PID 3040 wrote to memory of 2988 3040 powershell.exe 30 PID 3040 wrote to memory of 2988 3040 powershell.exe 30 PID 3040 wrote to memory of 2988 3040 powershell.exe 30 PID 3040 wrote to memory of 2448 3040 powershell.exe 32 PID 3040 wrote to memory of 2448 3040 powershell.exe 32 PID 3040 wrote to memory of 2448 3040 powershell.exe 32 PID 3040 wrote to memory of 2448 3040 powershell.exe 32 PID 3040 wrote to memory of 2448 3040 powershell.exe 32 PID 3040 wrote to memory of 2448 3040 powershell.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe"C:\Users\Admin\AppData\Local\Temp\fd115e2d35992b59fb62f89b59437b5284a4d9fcb3fc0974c1dd6b56b37de509.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Unrayed=Get-Content 'C:\Users\Admin\AppData\Local\Bimorphs\Shinbones.Kon';$Attempted=$Unrayed.SubString(54759,3);.$Attempted($Unrayed)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:2988
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2448
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319KB
MD581f4f1bb6727f15e82a8bd655cd8670f
SHA18f3b77dcb78b9b7e1050d1e1e111e26d054a9eb8
SHA256d93ca1e8f05b6ea4316659e902ad2160afe6960c77b4e36ddb3f014f2f7581a9
SHA512788d553fe9fdfc75421c535909b7d92ef82e5ad11a8d8ad191b49bfd2dc8495cfb8b4a64bb4fcd5ff6db9287401c3217414935827af0f435fabf64e7a7c71cfb
-
Filesize
53KB
MD57fe78c8e195c13415ae96f23aa32de30
SHA1b00ab0693d30fa8ec4bff5b22abedf70321846b7
SHA256e7a7c1f2116f79cbffd03b093a32b4c474bb823c47eba8ee9ecfda17b4bb238e
SHA5128324f1cee46921ba976396baa77e216d0155741561f67a4c3bc385df29667f56f15dc992e25f25044a1764811b1ca455ebcfb11f4dcd0d36fc5b803db0acb015