Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 01:37

General

  • Target

    27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe

  • Size

    2.8MB

  • MD5

    801d390b7b0ca5d3416d439b1be79851

  • SHA1

    5efad1401b5f58d4c4d78d5a9bc502fe8a236d0b

  • SHA256

    27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46

  • SHA512

    a898e176b0443fbe824ecada1113d889405f8801db982fb2d95001b39d03d5f392b39cc9312d08f0c93fea91ea18c7817bb1b0460199e66fc99dfae5507c739c

  • SSDEEP

    49152:9ILoHVHpGzM3pnvGX/KCYkWHGjkf8dE+EP59OQYmzG9jEaPjD:9nVH4zM3hvmBYkWHlUm+E37zvaPjD

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe
    "C:\Users\Admin\AppData\Local\Temp\27572b4d51bc7242810da8a05553a52ab8c4378dc4f4b80a471dffba9aad1a46.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\AppData\Local\Temp\processlasso.exe
        /postupdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {C9BD5196-B74F-4246-99A1-1BD9BEA3068F} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
      C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

    Filesize

    471KB

    MD5

    96bd05626377cce20ee7e2df1437dae8

    SHA1

    1833e1d76692945cadd5a5698442b130a9ea8da1

    SHA256

    dc6b6a2533ae8e0dfd7b2ae74543930d37510fae7650ecf7395003729e574ab0

    SHA512

    6155670ef2f5eecd24e1fba8d0dc25f0692345c098927a16771eb22df89df6757871816c5c73086b6b638f15beab78af5bc2c610eaddf2ee58e20788e0505d53

  • C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

    Filesize

    1.9MB

    MD5

    585ce7942546e10d1b97c764f84117af

    SHA1

    2741fe86935554dde6ab62e9a3365a6c0b7b28db

    SHA256

    a03b63926a6e07486a5f0151a3a9f8d361e639b56c6f4565abb55393267598c1

    SHA512

    d789369a5adba5717ccf0575c194b011a5e5aa6449341927c0dc39d4c76d29f270425f0372ba5f87c5e0d01d1e2bf1288f1f91456b9154945d648ca67367f43f

  • \Users\Admin\AppData\Local\Temp\PostUpdate.exe

    Filesize

    663KB

    MD5

    5000a2d42cca6a1bdf9ffb8aa1cb822d

    SHA1

    1e4a93aa5b3575758d5e846ba5b1acc92f565743

    SHA256

    605483056176f734a41450310d310d9f8c0a73c804ed43704e24de281529ef42

    SHA512

    409d43c8f3012dad35c2d199f74ddb6c1b4969ab1217c5d6b8a4a91ba2824602472855c24f9d3182eee696beab37087cc8d7a55f6da460c4bc39505b85fef70b

  • \Users\Admin\AppData\Local\Temp\ProcessLasso.exe

    Filesize

    1.8MB

    MD5

    3d9da88f8becb31da8e56fdeab9a8fe8

    SHA1

    325285a54a0383df37fde85412e1795875563de5

    SHA256

    8b0cc8d11d271317701345ac352f161ad5f6034ab33f1f013a018695e53c269d

    SHA512

    9b79ca8b35af0ba1f86398cae5533e361be5ea554eb18e570c29680599d98ec9bd44b3f6a47336fe2204e0d9229704f9b5a420f58e952989e1c3c0e05fe1eaae

  • \Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

    Filesize

    177KB

    MD5

    49bdbe44059c0418f5cdc2276f8525fe

    SHA1

    f6f571cb3e0f3d3a8722038221166546165517b0

    SHA256

    c1872a10303a9403059bccdd70265c6dcc09a71cdc7592715bb5042a5095c579

    SHA512

    ebaf1d0a3c3c6b3c8a9030bb49b23ce043604c339b98743291d886b8da92a48038bd28a2c91e5285c1220554d49386e5f9dee73bf0902ce9396bb13f1ed92bd8