Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 00:20
Static task
static1
Behavioral task
behavioral1
Sample
5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe
Resource
win10v2004-20240426-en
General
-
Target
5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe
-
Size
12KB
-
MD5
ee9e7173cbacb0a1e820d2a96887fa2a
-
SHA1
70253a73f5f84eec8d0c69989864a275157a5dd7
-
SHA256
5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987
-
SHA512
8c5761d23978e9ec15e0c5e07b872187ed3ca3a371706d607fac7bd7ad9f0d3058f772e8dcad67e4662e68f61c1b607963d264ae6f851e00d24563ad0ecb73bf
-
SSDEEP
384:XL7li/2zjq2DcEQvdhcJKLTp/NK9xaO9:bfM/Q9cO9
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2284 tmp2B55.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2284 tmp2B55.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 3056 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3056 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2420 3056 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 28 PID 3056 wrote to memory of 2420 3056 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 28 PID 3056 wrote to memory of 2420 3056 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 28 PID 3056 wrote to memory of 2420 3056 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 28 PID 2420 wrote to memory of 2292 2420 vbc.exe 30 PID 2420 wrote to memory of 2292 2420 vbc.exe 30 PID 2420 wrote to memory of 2292 2420 vbc.exe 30 PID 2420 wrote to memory of 2292 2420 vbc.exe 30 PID 3056 wrote to memory of 2284 3056 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 31 PID 3056 wrote to memory of 2284 3056 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 31 PID 3056 wrote to memory of 2284 3056 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 31 PID 3056 wrote to memory of 2284 3056 5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe"C:\Users\Admin\AppData\Local\Temp\5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k4gmkj23\k4gmkj23.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CEA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc46E603EC33A43DB85E6C848E5BE132.TMP"3⤵PID:2292
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2B55.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2B55.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5dab2d3f0b446f5f2183a7b66f47cbdca
SHA1d3936012c41881c1030b2ad42f5b4daf7c5ba53c
SHA25643a3681e0d1949ec22d0c4106abf8d63cdc56708ab3b384e0d8952af81de7b42
SHA5124068171e497d166adea5d6b318edc73bf0a5fcff7be3bd2a18311ec40d6f5ec925cf71c54ba41122e7daab58eddc737f1c7192b32d19d3c31c714b92895c5898
-
Filesize
1KB
MD52429d366201c23cf312bbadf7b18cce4
SHA162771710c0da13d594b327dcfde817646fd56d68
SHA2562e90c00b589e8f6888020588e9590a0d68196930350581e03f2db9596c1150c9
SHA5123cb4ea7fb49c089ed7b4216d1300d9ed17e07535ac533bf03d299e78c989cca10f1d9fb6559ce95827c2abd61e066a79e6e59f48744f00a863500692b0b3ed9b
-
Filesize
2KB
MD53a4a87a06e55d550d8a06d95c989cb80
SHA17c7a08c1b18acc15a15aae87099887d0db34e6c5
SHA25629520876e38d757e286ee4b07a25b1dcf52f6f9c8a4574067a9ea7bab16c7d4f
SHA5128d219624d9009d3d59c4efb07a9d18ea9194825c56e457ba5ee6ac513f13f30d3f8ccfb86d5ed60abe381e47a5c5af7656cdf64f4117482da083a0f2fd3865f0
-
Filesize
273B
MD5244ce0b1a783d469737c8b724fb33f4e
SHA18ce086b8a1cde4e36defa528b9a4ac164c7ed919
SHA256a794ff262786468bdb41e12ff98d5e0d79c2caaae235e60f235ce03d44447c46
SHA5120616eceb4279d422e807079d6cad68d68f2567190df7d9498bafe618c9d0ba539d2068e032db26fca2669d29a3fe4f9719a9c47c484a3bcfae582cfab5da357e
-
Filesize
12KB
MD586fa8ae968cf3f2b980d5b87c3e01255
SHA13af95b9f9037e727f7d50c56e0c295c75057dce6
SHA256930b6b135a8dd33f85f1249802e287f8d766ae089d09908447d9f187bc328773
SHA512ad4888b52b9adb26b1936d2239ee023b99b4638081e7f7eceb359ff2490f2197416d7b2e595f35918cfbd4f675a456cfee651de27b96912c7ba6737f4efca0cb
-
Filesize
1KB
MD5b894df7c8173d15df80d598828c472e6
SHA1cb446fb34cd0a40c4f8bc6393482885248540197
SHA25662ddddc4bc516e8be2634bb43e97d60a119f483cb5ecbaa9942a0a7188d42ad4
SHA512299bce5a066c757a19c4dbaf56d08bb6c2aeed384084f4495a7dc52ebd6b7e67d2883c0a87540aae213c5a69c2cc8a56fb817f56b2e8d0af645bba62fd0113dc