Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe
Resource
win10v2004-20240802-en
General
-
Target
27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe
-
Size
2.8MB
-
MD5
801d390b7b0ca5d3416d439b1be79851
-
SHA1
5efad1401b5f58d4c4d78d5a9bc502fe8a236d0b
-
SHA256
27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46
-
SHA512
a898e176b0443fbe824ecada1113d889405f8801db982fb2d95001b39d03d5f392b39cc9312d08f0c93fea91ea18c7817bb1b0460199e66fc99dfae5507c739c
-
SSDEEP
49152:9ILoHVHpGzM3pnvGX/KCYkWHGjkf8dE+EP59OQYmzG9jEaPjD:9nVH4zM3hvmBYkWHlUm+E37zvaPjD
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3052 PostUpdate.exe 2796 processlasso.exe 1968 bitsumsessionagent.exe -
Loads dropped DLL 6 IoCs
pid Process 2696 27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe 3052 PostUpdate.exe 3052 PostUpdate.exe 2772 taskeng.exe 2796 processlasso.exe 1180 Process not Found -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PostUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 processlasso.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString processlasso.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 PostUpdate.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1968 bitsumsessionagent.exe 2796 processlasso.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2796 processlasso.exe Token: SeDebugPrivilege 2796 processlasso.exe Token: SeChangeNotifyPrivilege 2796 processlasso.exe Token: SeIncBasePriorityPrivilege 2796 processlasso.exe Token: SeIncreaseQuotaPrivilege 2796 processlasso.exe Token: SeCreateGlobalPrivilege 2796 processlasso.exe Token: SeProfSingleProcessPrivilege 2796 processlasso.exe Token: SeBackupPrivilege 2796 processlasso.exe Token: SeRestorePrivilege 2796 processlasso.exe Token: SeShutdownPrivilege 2796 processlasso.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2696 wrote to memory of 3052 2696 27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe 30 PID 2696 wrote to memory of 3052 2696 27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe 30 PID 2696 wrote to memory of 3052 2696 27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe 30 PID 2696 wrote to memory of 3052 2696 27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe 30 PID 3052 wrote to memory of 2796 3052 PostUpdate.exe 33 PID 3052 wrote to memory of 2796 3052 PostUpdate.exe 33 PID 3052 wrote to memory of 2796 3052 PostUpdate.exe 33 PID 2772 wrote to memory of 1968 2772 taskeng.exe 34 PID 2772 wrote to memory of 1968 2772 taskeng.exe 34 PID 2772 wrote to memory of 1968 2772 taskeng.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe"C:\Users\Admin\AppData\Local\Temp\27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\processlasso.exe/postupdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C9BD5196-B74F-4246-99A1-1BD9BEA3068F} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exeC:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471KB
MD596bd05626377cce20ee7e2df1437dae8
SHA11833e1d76692945cadd5a5698442b130a9ea8da1
SHA256dc6b6a2533ae8e0dfd7b2ae74543930d37510fae7650ecf7395003729e574ab0
SHA5126155670ef2f5eecd24e1fba8d0dc25f0692345c098927a16771eb22df89df6757871816c5c73086b6b638f15beab78af5bc2c610eaddf2ee58e20788e0505d53
-
Filesize
1.9MB
MD5585ce7942546e10d1b97c764f84117af
SHA12741fe86935554dde6ab62e9a3365a6c0b7b28db
SHA256a03b63926a6e07486a5f0151a3a9f8d361e639b56c6f4565abb55393267598c1
SHA512d789369a5adba5717ccf0575c194b011a5e5aa6449341927c0dc39d4c76d29f270425f0372ba5f87c5e0d01d1e2bf1288f1f91456b9154945d648ca67367f43f
-
Filesize
663KB
MD55000a2d42cca6a1bdf9ffb8aa1cb822d
SHA11e4a93aa5b3575758d5e846ba5b1acc92f565743
SHA256605483056176f734a41450310d310d9f8c0a73c804ed43704e24de281529ef42
SHA512409d43c8f3012dad35c2d199f74ddb6c1b4969ab1217c5d6b8a4a91ba2824602472855c24f9d3182eee696beab37087cc8d7a55f6da460c4bc39505b85fef70b
-
Filesize
1.8MB
MD53d9da88f8becb31da8e56fdeab9a8fe8
SHA1325285a54a0383df37fde85412e1795875563de5
SHA2568b0cc8d11d271317701345ac352f161ad5f6034ab33f1f013a018695e53c269d
SHA5129b79ca8b35af0ba1f86398cae5533e361be5ea554eb18e570c29680599d98ec9bd44b3f6a47336fe2204e0d9229704f9b5a420f58e952989e1c3c0e05fe1eaae
-
Filesize
177KB
MD549bdbe44059c0418f5cdc2276f8525fe
SHA1f6f571cb3e0f3d3a8722038221166546165517b0
SHA256c1872a10303a9403059bccdd70265c6dcc09a71cdc7592715bb5042a5095c579
SHA512ebaf1d0a3c3c6b3c8a9030bb49b23ce043604c339b98743291d886b8da92a48038bd28a2c91e5285c1220554d49386e5f9dee73bf0902ce9396bb13f1ed92bd8