Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/09/2024, 10:48

General

  • Target

    7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe

  • Size

    530KB

  • MD5

    7d411a34136e88e95d155a5cad1fdb5a

  • SHA1

    9873390cb988aa07add91730944d717f4df32c68

  • SHA256

    7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10

  • SHA512

    3371b0fb4cd0332d3476f7083735552620179788091444c8f4cb17a03ee298b803d826ffa4b2383cbddf4b75a20570cc377210e427734e5c60b9c63ea686c8c6

  • SSDEEP

    12288:W3dPSj0k1KImtsjw/oB/Y6kjjWgTg27K57ZszDXTVBC5/q:W3ddWjcofTg82Es3TzC5i

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe
    "C:\Users\Admin\AppData\Local\Temp\7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Beflyvningens=Get-Content 'C:\Users\Admin\AppData\Local\Detenterne\Clistothecium.Kub';$stvningsvarslers=$Beflyvningens.SubString(52071,3);.$stvningsvarslers($Beflyvningens)
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2924
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 124
          4⤵
          • Program crash
          PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Detenterne\Clistothecium.Kub

    Filesize

    50KB

    MD5

    8a011580eb615d1188d53d7172459e29

    SHA1

    48e8d6b6c7c3aa9bb0fd9b1f4e063a169da7aa23

    SHA256

    fe0001d86026df15c1bd60689fe8b35bf9e0871a3aa3423d93643fb6ce02e133

    SHA512

    27085bddd4d1d9fcc0116b9ab1846628174c29d40191b9f884ff32f3a39cc8343f0e18796cfe842a06b56bae82191cbb096c3de13b142d21abb8cc5bf84f2aea

  • C:\Users\Admin\AppData\Local\Detenterne\Udsprngende.Fig

    Filesize

    338KB

    MD5

    0fa308be797fbe19198d485c4046a917

    SHA1

    5b8073846e431505cfcff5b43ac5e8e32aeaf7bb

    SHA256

    14e6ef457f06dc8ca9913a3dcf53eb761e6188ac6e2b37bd83804805e663a186

    SHA512

    378702b2f27bb1055028521598c0d74d841ff9ed00c058807edf8daae2d39e3481bd46966d8fd7f4b00befc17c9360a68eb152161f39ab0d612442f14801c4bd

  • memory/2924-17-0x0000000000350000-0x00000000013B2000-memory.dmp

    Filesize

    16.4MB

  • memory/3028-8-0x0000000073C31000-0x0000000073C32000-memory.dmp

    Filesize

    4KB

  • memory/3028-10-0x0000000073C30000-0x00000000741DB000-memory.dmp

    Filesize

    5.7MB

  • memory/3028-9-0x0000000073C30000-0x00000000741DB000-memory.dmp

    Filesize

    5.7MB

  • memory/3028-12-0x0000000073C30000-0x00000000741DB000-memory.dmp

    Filesize

    5.7MB

  • memory/3028-14-0x0000000073C30000-0x00000000741DB000-memory.dmp

    Filesize

    5.7MB

  • memory/3028-15-0x00000000065B0000-0x000000000BBB3000-memory.dmp

    Filesize

    86.0MB

  • memory/3028-16-0x0000000073C30000-0x00000000741DB000-memory.dmp

    Filesize

    5.7MB