Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 06:05
Static task
static1
Behavioral task
behavioral1
Sample
f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe
Resource
win7-20240708-en
General
-
Target
f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe
-
Size
1.2MB
-
MD5
a4c6a296a5b55a2858c0343d2c44490b
-
SHA1
01c57919f82cf0ec9683540735141302032ac070
-
SHA256
f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4
-
SHA512
0bd26eb1250c24b3b0ea5938c17d71dcf9b7467fc85588e8b13978e8d06aaa6e34dd276ebb67c4455e2a8db4458d487c8bde54c7a0cf4bed2e54a323194ef13f
-
SSDEEP
24576:PZbqxGFMhCGa7cQPHpk060aci6V20XH83oD1dEUu28KkzFu7biF8:RbqxGFMhCGa7cQkJciMvMXLFgbi2
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2900 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 2900 powershell.exe 2812 Skankemageren.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%sekundrfilens% -windowstyle minimized $Seismologue=(Get-ItemProperty -Path 'HKCU:\\Ceration48\\').Openheartedness0;%sekundrfilens% ($Seismologue)" reg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2900 powershell.exe 2812 Skankemageren.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2900 set thread context of 2812 2900 powershell.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Skankemageren.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2416 reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Skankemageren.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Skankemageren.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe 2900 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2900 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2900 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2900 2876 f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe 30 PID 2876 wrote to memory of 2900 2876 f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe 30 PID 2876 wrote to memory of 2900 2876 f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe 30 PID 2876 wrote to memory of 2900 2876 f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe 30 PID 2900 wrote to memory of 2812 2900 powershell.exe 34 PID 2900 wrote to memory of 2812 2900 powershell.exe 34 PID 2900 wrote to memory of 2812 2900 powershell.exe 34 PID 2900 wrote to memory of 2812 2900 powershell.exe 34 PID 2900 wrote to memory of 2812 2900 powershell.exe 34 PID 2900 wrote to memory of 2812 2900 powershell.exe 34 PID 2812 wrote to memory of 2052 2812 Skankemageren.exe 35 PID 2812 wrote to memory of 2052 2812 Skankemageren.exe 35 PID 2812 wrote to memory of 2052 2812 Skankemageren.exe 35 PID 2812 wrote to memory of 2052 2812 Skankemageren.exe 35 PID 2052 wrote to memory of 2416 2052 cmd.exe 37 PID 2052 wrote to memory of 2416 2052 cmd.exe 37 PID 2052 wrote to memory of 2416 2052 cmd.exe 37 PID 2052 wrote to memory of 2416 2052 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe"C:\Users\Admin\AppData\Local\Temp\f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$galdens=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Labourhoods.Mas';$beboerhusene=$galdens.SubString(2416,3);.$beboerhusene($galdens)"2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\Skankemageren.exe"C:\Users\Admin\AppData\Local\Temp\Skankemageren.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%sekundrfilens% -windowstyle minimized $Seismologue=(Get-ItemProperty -Path 'HKCU:\Ceration48\').Openheartedness0;%sekundrfilens% ($Seismologue)"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%sekundrfilens% -windowstyle minimized $Seismologue=(Get-ItemProperty -Path 'HKCU:\Ceration48\').Openheartedness0;%sekundrfilens% ($Seismologue)"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2416
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5edef981795fb6272025d069c64f98d9e
SHA1665b7096bbd7c215bcf9c22e08e4148ae1eb7f9d
SHA256f3b691cb8a7d661732bdd82f35cbe5cc2ed99fedc6992646803e871d221e9e37
SHA512eff41508448d5949e79a3fa951006d28fe822364a72029f59e5f493cd9c59252dc02116c4777aeb5a2e389c075c43651e6198b713239f69f692c89aaa7ade583
-
Filesize
342KB
MD5b75ebbcb5d2f614b0a9e050c93cdb838
SHA10ca8fd75e51890798ae01761532627d46c89ddd5
SHA25608ddca57d81a3aa14a1ec07e0beede85bfb8104014d67cc8a2332be5a091abcb
SHA51276fb2fde501d5d89edf279796f0ae6ef8f88dd42e07e759614f49008a46639ad848df3db5acc4e9ebd2002a7e02b6303935871a0d66f351d293229ecb4ab5371
-
Filesize
1.2MB
MD5a4c6a296a5b55a2858c0343d2c44490b
SHA101c57919f82cf0ec9683540735141302032ac070
SHA256f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4
SHA5120bd26eb1250c24b3b0ea5938c17d71dcf9b7467fc85588e8b13978e8d06aaa6e34dd276ebb67c4455e2a8db4458d487c8bde54c7a0cf4bed2e54a323194ef13f