Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
349274bd66a...0a.exe
windows7-x64
849274bd66a...0a.exe
windows10-2004-x64
8$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05/07/2024, 16:41
Static task
static1
Behavioral task
behavioral1
Sample
49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240704-en
General
-
Target
49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe
-
Size
473KB
-
MD5
33bc360990c66beea144ae48d17504a6
-
SHA1
7dfb4c70ef7d73c8618ce8799d414ba3c3fe9684
-
SHA256
49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a
-
SHA512
a83b83ff3c462d39351553372055e0c16d98c8cfe3083c6958b631861575901cf68925d6a7dadab68f3c78deb59bab7d3d7541946f6e6b69073a5007fd3af1dd
-
SSDEEP
12288:TKYi/Le1bRNn/XoeBKk3nM40FC8/1YnrfY2:OFDe111/XlBLv0FCOcrfY2
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 884 powershell.exe -
Loads dropped DLL 5 IoCs
pid Process 2204 49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe 2204 49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe 2204 49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe 884 powershell.exe 1272 Slringsnettets.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 drive.google.com 5 drive.google.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 884 powershell.exe 1272 Slringsnettets.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 884 set thread context of 1272 884 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x002e000000015d72-196.dat nsis_installer_1 behavioral1/files/0x002e000000015d72-196.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 884 powershell.exe 884 powershell.exe 884 powershell.exe 884 powershell.exe 884 powershell.exe 884 powershell.exe 884 powershell.exe 884 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 884 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2204 wrote to memory of 884 2204 49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe 30 PID 2204 wrote to memory of 884 2204 49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe 30 PID 2204 wrote to memory of 884 2204 49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe 30 PID 2204 wrote to memory of 884 2204 49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe 30 PID 884 wrote to memory of 1272 884 powershell.exe 34 PID 884 wrote to memory of 1272 884 powershell.exe 34 PID 884 wrote to memory of 1272 884 powershell.exe 34 PID 884 wrote to memory of 1272 884 powershell.exe 34 PID 884 wrote to memory of 1272 884 powershell.exe 34 PID 884 wrote to memory of 1272 884 powershell.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe"C:\Users\Admin\AppData\Local\Temp\49274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Superintendency=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Servicebureauet\aloe\Reshipment.Bag';$Fjernskrivendes=$Superintendency.SubString(1030,3);.$Fjernskrivendes($Superintendency)"2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\Slringsnettets.exe"C:\Users\Admin\AppData\Local\Temp\Slringsnettets.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1272
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5a4b2bd7f121cc14e7aab05a8ffbb5baf
SHA1722dab40a35645c7b1509fef35892c9b181e1ee6
SHA2561cca145232a34bca0954995d0807c3ebe65c397b9b389eded731f4f0b070ae55
SHA5120f066e1b87bddd3034eade969db37837c1fa104be0c3a5f8aa7c3a91e975ba8cdbfdf1f376aecb5f40531b4505ed625f3c5f9e12ec5943fe5eb36d3877fab7c2
-
Filesize
340KB
MD5b6edc4ee879f912d3aba560ce2a3ba8d
SHA1fc51052392372b65f5abf375d805f89fdbeda043
SHA2562d070f42aaccd649f2182e50af8cc227a910e9fe0849080a395edfc86f1267a3
SHA512a1c6cae8ee4457d8a9d9430efdb6730e35c8b961a1a9f50992f7069843abb42963a66e639bea9d6c1496bf8797c4475c6cb938579dbdd40c296263aeaed35eb1
-
Filesize
1KB
MD59db3e04a27bf798853955f8a66d881e3
SHA1df8590ce2f583bdd5a4bf0cbf384a2ab60917a4c
SHA2565a505e6274548bee4ce1f7aa6da254d45527903b59f74c25f076dc46dcb8f40c
SHA5123d32254bef6b2a7e298ae3b826710d0a552e2264a602cd23a1898d58c0787dfb19736aefbfce36b1a17d8301a7f367f32ce1c3914388026fa99d012099b4a5b4
-
Filesize
473KB
MD533bc360990c66beea144ae48d17504a6
SHA17dfb4c70ef7d73c8618ce8799d414ba3c3fe9684
SHA25649274bd66a4d53ca004a0a58c15496292a323f229b9712e5f3994af5c307bc0a
SHA512a83b83ff3c462d39351553372055e0c16d98c8cfe3083c6958b631861575901cf68925d6a7dadab68f3c78deb59bab7d3d7541946f6e6b69073a5007fd3af1dd
-
Filesize
7KB
MD5350a507070ed063ac6a511aeef67861a
SHA1cf647b90a1212e090f1d236d1b50a5010cbf3bae
SHA2565c66abd3f06eaa357ed9663224c927cf7120dca010572103faa88832bb31c5ab
SHA512cde5747cc8539625e4262afad9699ce4e8325133d7ed7f47b9d46989a7aa0d2cc2488441acc57368f485ef1dd3e02b9ef2faa642f68e9f1db53a39e0f896d468
-
Filesize
9KB
MD513b6a88cf284d0f45619e76191e2b995
SHA109ebb0eb4b1dca73d354368414906fc5ad667e06
SHA256cb958e21c3935ef7697a2f14d64cae0f9264c91a92d2deeb821ba58852dac911
SHA5122aeeae709d759e34592d8a06c90e58aa747e14d54be95fb133994fdcebb1bdc8bc5d82782d0c8c3cdfd35c7bea5d7105379d3c3a25377a8c958c7b2555b1209e
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2