Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 07:02
Static task
static1
Behavioral task
behavioral1
Sample
b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe
Resource
win10v2004-20240226-en
General
-
Target
b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe
-
Size
12KB
-
MD5
7806a8806149ee00b896686c0f679b50
-
SHA1
6e8f67ebb0b728c46dcbf9e758e0a3824b3d658c
-
SHA256
b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69
-
SHA512
2686af62d3a767323642e11d7c2edcc1861bbb9c30de6a6b4a42e88f1572ffc81dfb36967bd9f9fb1858452f726853ef4cc8a09422caf0b0fce3be0b433b1796
-
SSDEEP
384:+L7li/2zHq2DcEQvdhcJKLTp/NK9xaJ4:oLM/Q9cJ4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2820 tmp28C6.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2820 tmp28C6.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2992 b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2992 b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2064 2992 b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe 28 PID 2992 wrote to memory of 2064 2992 b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe 28 PID 2992 wrote to memory of 2064 2992 b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe 28 PID 2992 wrote to memory of 2064 2992 b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe 28 PID 2064 wrote to memory of 2656 2064 vbc.exe 30 PID 2064 wrote to memory of 2656 2064 vbc.exe 30 PID 2064 wrote to memory of 2656 2064 vbc.exe 30 PID 2064 wrote to memory of 2656 2064 vbc.exe 30 PID 2992 wrote to memory of 2820 2992 b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe 31 PID 2992 wrote to memory of 2820 2992 b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe 31 PID 2992 wrote to memory of 2820 2992 b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe 31 PID 2992 wrote to memory of 2820 2992 b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe"C:\Users\Admin\AppData\Local\Temp\b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bpjzv0qx\bpjzv0qx.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C2689D24295478997323D83C82CA3.TMP"3⤵PID:2656
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp28C6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp28C6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53df7d3d37bd7c77202c5f6ddd3f321d2
SHA11b4e9ed6e92fa6ede3d2289f5d629269b44082b8
SHA256dcbd734296239d3f2a8cc6cd96856c96b3db2cc91c54565e06c8f4c18b998744
SHA5123e505ba613bfbe698af17eb4a8662417eb4a38250efd52c9ca9b27cb218c5dc6094dd2916513c9f83c61abf03d3ab7a3d356e589b9f04ce317483954a3f17d2a
-
Filesize
1KB
MD56a03675dd66c45b6cf0b86a9729a9675
SHA1dd81ca40289aee2f8e7740c33ffe667073800277
SHA2568b89c7e3b177b53f80249f24fcf9ae482fbd0da29ab1932b9719bd08aa8fd598
SHA512ef5cf01322659d6cc16c7a3c67dffbd9828c7483efe8b789843a95643ff7c033ce60ddb8b92faacedfa075cde30c3b631e82efd8c771e589908a7943e0bd4f16
-
Filesize
2KB
MD5a4bc40ac5296ea2c5e652acaf9ddd824
SHA1e39bfc92c36a202a2a9a3afb41db53fa1fe31a30
SHA256969990043eceab9387b63f8d49a43f153008b9b6bcc1d6b5d698b38c39f3e4d2
SHA5120319b9e06b94dbb6f39dbdb5cba288e94ca4abc808968af95bb97ccd99375b33145c6e3ca54536a26c59934c92c657e2da5587ccd7a4aef53720ae302614c22b
-
Filesize
273B
MD5ed25e1fb6634ac45a8d2c1c01d762f3e
SHA1207db9e01a39fe1511b10d40e120d12f52fcda92
SHA2568bea3f50a6d286ea9a56d99ae61ab83016359c9511a19b31982ce4bfdfa606b2
SHA5126c407de699baf926a96effec7a16803bdb614dae6467a80bacc082eda61b0689ce43b1ee2a3ad7b2b14f3170e58fdb44baeba11dd00faab8b4e8c7f2ba440121
-
Filesize
12KB
MD5b39e8420b9d63932eaca20681a53fb3d
SHA1433c139c19d74873fb44d54d867cca6c45990830
SHA256e60f675f5215f0f84e7db96edbb57f991524e85dfa208321d652013d8070e698
SHA51254f9d31f29ba68bf282e7546b8399e3c699df7318dcc1ec3e8fe6ef000769f0411aa57f8c48c2abb36674a496145c6742c384e7674aa5916cf4de2cdb881c299
-
Filesize
1KB
MD5f1e8c09d6d24a9dc8bbeef9923807674
SHA1a618231c3ddee0cab68c393f681caa72765bd16e
SHA2564ef8e63a1a5711e02d930357de49c4cef2f72ce0ee6839548876727869542f85
SHA5126d6dc39a701fc2e3933c922edbc25d9942f497b2f90e22f408e964d112935bf49e98ebdd31db26512f91587560602323e38d0dc662a2cc2cd6cb6d7c25298ca2