Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/07/2024, 12:36
240712-psxkvstdpp 712/07/2024, 12:34
240712-prwl6stdlk 712/07/2024, 12:32
240712-pqzmfawblh 3Analysis
-
max time kernel
23s -
max time network
22s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/07/2024, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
aaa.exe
Resource
win11-20240709-en
General
-
Target
aaa.exe
-
Size
15.6MB
-
MD5
96ed2160da5a5899a938933d81254e61
-
SHA1
ea17be355dc518ada8409d72530f3f6b022e064e
-
SHA256
1523f8d4a130014212eb78c91baf6bd6ff8fa12f3722845c5f573111e1270a38
-
SHA512
d2a5f1fc2f719a889711900c30ed4638e80d1a486596251c4685852f609f2e39b0bd06fd8e5bd7eb678a702018675442248b413c0bf4c3171d60f61f14f52b50
-
SSDEEP
393216:NSEFPSFNNcBMFtS9yxHqfp+YcYVJKClpYkkA/MBzcFRf1/iI:NSEFawMi9yxKfY3uJrpYkfUBzcFRfB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1428 client v2.exe -
Loads dropped DLL 23 IoCs
pid Process 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 2268 aaa.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe -
pid Process 1896 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2268 aaa.exe 2268 aaa.exe 2268 aaa.exe 2268 aaa.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe 1428 client v2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1896 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2268 wrote to memory of 1428 2268 aaa.exe 84 PID 2268 wrote to memory of 1428 2268 aaa.exe 84 PID 1428 wrote to memory of 2096 1428 client v2.exe 85 PID 1428 wrote to memory of 2096 1428 client v2.exe 85 PID 1428 wrote to memory of 3592 1428 client v2.exe 86 PID 1428 wrote to memory of 3592 1428 client v2.exe 86 PID 1428 wrote to memory of 1896 1428 client v2.exe 91 PID 1428 wrote to memory of 1896 1428 client v2.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaa.exe"C:\Users\Admin\AppData\Local\Temp\aaa.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\onefile_2268_133652612747635145\client v2.exe"C:\Users\Admin\AppData\Local\Temp\aaa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:2096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title NEON ローダー3⤵PID:3592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command " [Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] > $null [Windows.UI.Notifications.ToastNotification, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null [Windows.Data.Xml.Dom.XmlDocument, Windows.Data.Xml.Dom.XmlDocument, ContentType = WindowsRuntime] | Out-Null $Template = @\" <toast duration=\"short\"> <visual> <binding template=\"ToastImageAndText02\"> <image id=\"1\" src=\"C:\Users\Admin\AppData\Local\Temp/icon.ico\" /> <text id=\"1\"><![CDATA[ソフトの終了]]></text> <text id=\"2\"><![CDATA[ソフトが終了しました]]></text> </binding> </visual> <actions> </actions> <audio src=\"ms-winsoundevent:Notification.Default\" loop=\"false\" /> </toast> \"@ $SerializedXml = New-Object Windows.Data.Xml.Dom.XmlDocument $SerializedXml.LoadXml($Template) $Toast = [Windows.UI.Notifications.ToastNotification]::new($SerializedXml) $Toast.Tag = \"ソフトの終了\" $Toast.Group = \"CARVS\" $Notifier = [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier(\"CARVS\") $Notifier.Show($Toast); "3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD52a6bef11d1f4672f86d3321b38f81220
SHA1b4146c66e7e24312882d33b16b2ee140cb764b0e
SHA2561605d0d39c5e25d67e7838da6a17dcf2e8c6cfa79030e8fb0318e35f5495493c
SHA512500dfff929d803b0121796e8c1a30bdfcb149318a4a4de460451e093e4cbd568cd12ab20d0294e0bfa7efbd001de968cca4c61072218441d4fa7fd9edf7236d9
-
Filesize
3.2MB
MD5cc4cbf715966cdcad95a1e6c95592b3d
SHA1d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA5123b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477
-
Filesize
513KB
MD5336153eb39fad4a319d2f1dc4a612faf
SHA11866f64f668e01f667b0cf0995f43f771717a596
SHA25620c82ac667e65745d91bb58fec99f8d6f3de57df31079f3980196114fc467d69
SHA51264025cbb60e229d714b7e56b42ef36bf66466186bf8695815d58ae352f0a4a7eee8aa8eeb55f46e5ea81ea46bbd18564db779e95930c1cc76408482b57a8c697
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
83KB
MD56c7565c1efffe44cb0616f5b34faa628
SHA188dd24807da6b6918945201c74467ca75e155b99
SHA256fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a
SHA512822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22
-
Filesize
122KB
MD529da9b022c16da461392795951ce32d9
SHA10e514a8f88395b50e797d481cbbed2b4ae490c19
SHA2563b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372
SHA5125c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a
-
Filesize
63KB
MD5f377a418addeeb02f223f45f6f168fe6
SHA15d8d42dec5d08111e020614600bbf45091c06c0b
SHA2569551431425e9680660c6baf7b67a262040fd2efceb241e4c9430560c3c1fafac
SHA5126f60bfac34ed55ff5d6ae10c6ec5511906c983e0650e5d47dac7b8a97a2e0739266cae009449cced8dff59037e2dbfc92065fbbdfde2636d13679e1629650280
-
Filesize
157KB
MD5b5355dd319fb3c122bb7bf4598ad7570
SHA1d7688576eceadc584388a179eed3155716c26ef5
SHA256b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5
SHA5120e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5
-
Filesize
28KB
MD5e06c0c8ec05eadbeecb3083f8ec26be6
SHA10c7df3e3c82f44f4b0347be2d218fbe879770053
SHA25691adac3af53eedb4508f554e48dfee6e17252c28b017534124b43df856ea84ef
SHA512839625da6e80aaf47d664adeec9805a3af5b08ffeee270d17353e6dcaaff89518960d4fb8a7d35ad8b77be94380c4266b6efcca2535ea0362962abc518533228
-
Filesize
27KB
MD54ab2ceb88276eba7e41628387eacb41e
SHA158f7963ba11e1d3942414ef6dab3300a33c8a2bd
SHA256d82ab111224c54bab3eefdcfeb3ba406d74d2884518c5a2e9174e5c6101bd839
SHA512b0d131e356ce35e603acf0168e540c89f600ba2ab2099ccf212e0b295c609702ac4a7b0a7dbc79f46eda50e7ea2cf09917832345dd8562d916d118aba2fa3888
-
Filesize
77KB
MD5f5dd9c5922a362321978c197d3713046
SHA14fbc2d3e15f8bb21ecc1bf492f451475204426cd
SHA2564494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626
SHA512ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99
-
Filesize
149KB
MD5ef4755195cc9b2ff134ea61acde20637
SHA1d5ba42c97488da1910cf3f83a52f7971385642c2
SHA2568a86957b3496c8b679fcf22c287006108bfe0bb0aaffea17121c761a0744b470
SHA51263ad2601fb629e74cf60d980cec292b6e8349615996651b7c7f68991cdae5f89b28c11adb77720d7dbbd7700e55fdd5330a84b4a146386cf0c0418a8d61a8a71
-
Filesize
10KB
MD5d93ad224c10ba644f92232a7b7575e23
SHA14a9abc6292e7434d4b5dd38d18c9c1028564c722
SHA25689268be3cf07b1e3354ddb617cb4fe8d4a37b9a1b474b001db70165ba75cff23
SHA512b7d86ecd5a7372b92eb6c769047b97e9af0f875b2b02cff3e95d3e154ef03d6b9cf39cc3810c5eca9fea38fea6201e26f520da8b9255a35e40d6ec3d73bb4929
-
Filesize
117KB
MD5b5692f504b608be714d5149d35c8c92a
SHA162521c88d619acfff0f5680f3a9b4c043acf9a1d
SHA256969196cd7cade4fe63d17cf103b29f14e85246715b1f7558d86e18410db7bbc0
SHA512364eb2157b821c38bdeed5a0922f595fd4eead18ceab84c8b48f42ea49ae301aabc482d25f064495b458cdcb8bfab5f8001d29a306a6ce1bbb65db41047d8ea5
-
Filesize
14.1MB
MD5d0465f8c10ed51d07637432895aa1497
SHA1545c7030f5a751e64e4757f147df66e87d7da6ad
SHA256b1d594d5b715887747b6551424882c6ef4e91995e348abcf72c3fb17a8ac58fc
SHA512c2be43b2ec46c8e8ae33274dc65bbf1c435f07948664a8de1fb49a0e096c44dac8d8c60d8d8c83d41882d43258cfd454767a4c5d00772244937060228e174738
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
673KB
MD5bc778f33480148efa5d62b2ec85aaa7d
SHA1b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA2569d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA51280c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173
-
Filesize
4.3MB
MD511c051f93c922d6b6b4829772f27a5be
SHA142fbdf3403a4bc3d46d348ca37a9f835e073d440
SHA2560eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c
SHA5121cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6
-
Filesize
131KB
MD5f20fd2e2ac9058a9fd227172f8ff2c12
SHA189eba891352be46581b94a17db7c2ede9a39ab01
SHA25620bde8e50e42f7aabf59106eea238fcc0dece0c6e362c0a7feeb004ab981db8a
SHA51242a86fa192aea7adb4283dc48a323a4f687dad40060ea3ffddcd8fd7670bb535d31a7764706e5c5473da28399fec048ae714a111ee238bb25e1aad03e12078d4
-
Filesize
26KB
MD57a442bbcc4b7aa02c762321f39487ba9
SHA10fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83
SHA2561dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad
SHA5123433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c
-
Filesize
1.1MB
MD58320c54418d77eba5d4553a5d6ec27f9
SHA1e5123cf166229aebb076b469459856a56fb16d7f
SHA2567e719ba47919b668acc62008079c586133966ed8b39fec18e312a773cb89edae
SHA512b9e6cdcb37d26ff9c573381bda30fa4cf1730361025cd502b67288c55744962bdd0a99790cedd4a48feef3139e3903265ab112ec545cb1154eaa2a91201f6b34
-
Filesize
99KB
MD58697c106593e93c11adc34faa483c4a0
SHA1cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987
-
Filesize
43KB
MD521ae0d0cfe9ab13f266ad7cd683296be
SHA1f13878738f2932c56e07aa3c6325e4e19d64ae9f
SHA2567b8f70dd3bdae110e61823d1ca6fd8955a5617119f5405cdd6b14cad3656dfc7
SHA5126b2c7ce0fe32faffb68510bf8ae1b61af79b2d8a2d1b633ceba3a8e6a668a4f5179bb836c550ecac495b0fc413df5fe706cd6f42e93eb082a6c68e770339a77c
-
Filesize
130KB
MD505e4b3b876e5fa6a2b8951f764559623
SHA14ad50f70eef4feaa9d051c2f161fbac8a862a4bc
SHA256a52f8bd28b5b9558cde10333ce452a7d6f338ce1005a2b8451755005868e4a98
SHA5125648306af7c056c9250731b7d5a508664294bbb8ba865f9dc06fd7216adf7b8cc31b1cfbc0175c7f2752680744f6546a1959e7f7d1ec7a8a845f75642ce034d9
-
Filesize
140KB
MD5639e0b5813b5ab6147099422b5685a2d
SHA11f10be041f680a47959846c2709f322a843213af
SHA2562c514d084f5bd2ee512faafdd8f485837b9d447337e942113776b2bba1d7cc88
SHA512609b935e7809509592090091fe4d53e620edd6dd63cd1004e4db870d3ccfffaa19d1b7bc50e728eee3cc7cd7c85eedc758bdb1993861a5736aa6dc2d45616d60
-
Filesize
21KB
MD52d6ad8f5e8961ad6c19bac56093c84f0
SHA18060e01378de33df80320f3a3c1158c9f61f9ff3
SHA2567892119c9e4b815c07b93d2bc8f7310b16064734a99affae694ca6b81b5ea0b4
SHA51263177b3273ca0687035c7226a70e590ae36385ed5c28e9d793ea393e528685f88496f9f921a39f304aa7f83f9774d33f04f1d49124ac8c50842e76634a389a36