Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/06/2024, 11:45

General

  • Target

    virussign.com_127b09e4113d207b9e5edfac515028e0.exe

  • Size

    12KB

  • MD5

    127b09e4113d207b9e5edfac515028e0

  • SHA1

    370f3b990b119ea9f114485015953eee2c70e53d

  • SHA256

    3cb5ea28d34556fc91bf400ca39dde6a8266fb8bcf937ef0b05c991c94135d5a

  • SHA512

    916bccff48dc8ad426a2fefb9fc9ec91a275881ad35b984dfa3024582d5edad08d1fd2d35222bc34a33655fe5c93fa0b71d6f2b2962cd6966c9e26f4fe4d914b

  • SSDEEP

    384:VL7li/2zjq2DcEQvdhcJKLTp/NK9xa3w:1HM/Q9c3w

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe
    "C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kygpemsn\kygpemsn.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8343.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc366E6519CC804131BAB045DCAF80FC6F.TMP"
        3⤵
          PID:2860
      • C:\Users\Admin\AppData\Local\Temp\tmp7E84.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp7E84.tmp.exe" C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2524

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources

      Filesize

      2KB

      MD5

      9b8443147e8d95a0a121a01da595b279

      SHA1

      b403e94aa353063b69a27f5b8b0ef830ea5c1a7a

      SHA256

      49ea19de0bb3fef9b3266c5bc285f7256bed503b26b9aa426165a93bce43fe42

      SHA512

      4f9f5189f1e491621f5ae45aa693d429e833254f622d9ef9ba85b8c0bfabffc49294b09b77bd24ddbd09634c687e3dc69cd35886d9adde4d4d899849887f8bd9

    • C:\Users\Admin\AppData\Local\Temp\RES8343.tmp

      Filesize

      1KB

      MD5

      f756b742dde1b0e0c5c60ced40a071f7

      SHA1

      42d76b4a6d2bd0fcdd3c2c68568bef24c9a80191

      SHA256

      cdc577d1b4f3b9868f1a6b5ded0cbffdd6e31e1b44430879d4ec1b5a90472f58

      SHA512

      77bbd9fdb42d42743c2ba947963f68d0cbb79cd8a8160cea3a3357328b0245833a771e3c3d6a13c93db089a78279cf9430a043bca4ee1a2939e58b1ca74ed15f

    • C:\Users\Admin\AppData\Local\Temp\kygpemsn\kygpemsn.0.vb

      Filesize

      2KB

      MD5

      0ef9421226eca9b3e480854fc6db0bc2

      SHA1

      ff2fd160a610897c24fea1a6f66a95cf98ee4364

      SHA256

      51dee201ac3a8fd7d32897d8c329c85901e8a73fd8affff1ac39a969079ece9e

      SHA512

      c2407d560f7f447c19952aa456341f9606b7396bcd5ad003517c4d6d3f92675b681c574557b27be6d5f29b3f6f33262551f32044d5605f1b63152bdf74d9278e

    • C:\Users\Admin\AppData\Local\Temp\kygpemsn\kygpemsn.cmdline

      Filesize

      273B

      MD5

      d7437a48fd01630ae5a41d8efa061373

      SHA1

      2120aa3a5d1a67e32952f81b3868e20d9d1faaa3

      SHA256

      6ed5f506921539fb88aa8a6604b93162f8ec12fea6a4cec92e2dab79d0c5cafe

      SHA512

      2f1eaad7cf397618b78827adb28c971639651d37a8559d493959674ba684436b4e28a8c911120bc2c6b0ea83e97e0f37f378ed209512798cf5a1dbfa62d56357

    • C:\Users\Admin\AppData\Local\Temp\tmp7E84.tmp.exe

      Filesize

      12KB

      MD5

      726d491b986c089f2135650af3250d4a

      SHA1

      f0052d3557b75fc5b381dd233e1262d2f41fce80

      SHA256

      f4e7c41be58374db96ec98652dc30862c2bb7ed33249916c3821779225316166

      SHA512

      38292c0fbd844d54ff1c53bd029374f03934584312ecb3b7d9ee38ae83544cd52132faf7d5e4a0fe5259cfb8257f100afa6d8d7b90049b54f12ed3efca609053

    • C:\Users\Admin\AppData\Local\Temp\vbc366E6519CC804131BAB045DCAF80FC6F.TMP

      Filesize

      1KB

      MD5

      cd99577372ee053065843fbb758b53e1

      SHA1

      247d750c3fe01c0d53f73806ef37e2dcf687a49b

      SHA256

      3e9be4b26add59c0f1fe788517751f3aa2f1a0f497fd2a6e932b20e6bc2bfeae

      SHA512

      3d5b2bef0884959a03eca034a8d07fd92feeca66e2b9f612dcbe32bd5c8eddf45fc4f13ada80565934606c230b569d2c97104e488b13407f896783902c41eabe

    • memory/2020-0-0x00000000745CE000-0x00000000745CF000-memory.dmp

      Filesize

      4KB

    • memory/2020-1-0x0000000001150000-0x000000000115A000-memory.dmp

      Filesize

      40KB

    • memory/2020-6-0x00000000745C0000-0x0000000074CAE000-memory.dmp

      Filesize

      6.9MB

    • memory/2020-24-0x00000000745C0000-0x0000000074CAE000-memory.dmp

      Filesize

      6.9MB

    • memory/2524-23-0x0000000001030000-0x000000000103A000-memory.dmp

      Filesize

      40KB