Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 18:39

General

  • Target

    5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe

  • Size

    4.5MB

  • MD5

    6eb0f8cdd3f2708b5fc8bdf2dadca602

  • SHA1

    8e2be55f6ae18e9e091619d632c35f6897784a42

  • SHA256

    5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce

  • SHA512

    6a40ae445e0722e5de5306362904dc663e529c8d69aa9437804476c23de8b37e85ab38ba75404d96062dbc4d79dbd164976aec51b95b7982084fb1b266c2bba5

  • SSDEEP

    98304:/XrHQcsibw8SPLeTtSQo5Z8DERxrfExYzbRKHIrH/92BQ6ZyF:frwcXMHLKy6txWRK+H/926Yy

Malware Config

Extracted

Family

cobaltstrike

C2

http://192.168.14.128:443/u6z8

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;NLNL)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Loads dropped DLL 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
    "C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
      "C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 240
        3⤵
        • Program crash
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI26482\MSVCR100.dll

    Filesize

    755KB

    MD5

    bf38660a9125935658cfa3e53fdc7d65

    SHA1

    0b51fb415ec89848f339f8989d323bea722bfd70

    SHA256

    60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

    SHA512

    25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

  • C:\Users\Admin\AppData\Local\Temp\_MEI26482\_ctypes.pyd

    Filesize

    83KB

    MD5

    5d1bc1be2f02b4a2890e921af15190d2

    SHA1

    057c88438b40cd8e73554274171341244f107139

    SHA256

    97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da

    SHA512

    9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

  • C:\Users\Admin\AppData\Local\Temp\_MEI26482\base_library.zip

    Filesize

    717KB

    MD5

    d6d034e1af968d134b3cc4477b623069

    SHA1

    6eb0fc22dc6360177956e0884241b94b68f69ee7

    SHA256

    63f31b4c43a469971854a1d1eae5516f8d0ccdcd3d0566a84b2496c25a28de44

    SHA512

    e45c32d209ab14a328c843d06958ce0f35c9ef2f52e5e8d47fbd0caa4b89eb3388d03497f973ee73aaf73ee3be3327942a6202a7934d818261c5b29965de94bb

  • C:\Users\Admin\AppData\Local\Temp\_MEI26482\python34.dll

    Filesize

    2.6MB

    MD5

    96f7167b725a27b3bd4766a89c4b4305

    SHA1

    39a1d7e1648adce5740a1976211724cf87792b9e

    SHA256

    30ab1713ca7cbbee7227bf50db4d1415654eb81ea0a16134f37dc11a746d9f92

    SHA512

    3d7ce22c29956f7f1c001ab86298485987d2b1dc5f52d5eb5b7dd21c21d88d00849163f684c01141b77ed387bc32733d26da79cc81a2d01f0d2f5d9ec8c5441a

  • C:\Users\Admin\AppData\Local\Temp\_MEI26482\test.exe.manifest

    Filesize

    1KB

    MD5

    0995942e0c238d67de452a3b2c1db5a9

    SHA1

    ac9fdb353e74a3de2c1024c6d6a068fef7860328

    SHA256

    4801e45f989133f5dfb453fd3e31ff512043dc89b099b64faf55f78724e7518d

    SHA512

    e97e43d6d3f14e00835be72e78e3e29a0632a47c4057c3a7340780f6761f6643793c8427d997446a3152a8b2fc5133ea9065b554e2321d216f9f7df34a16a35e

  • \Users\Admin\AppData\Local\Temp\_MEI26482\Crypto.Cipher._AES.pyd

    Filesize

    29KB

    MD5

    3c4ab2e06feb6e4ca1b7a1244055671a

    SHA1

    a4c3c44b45248b7cf53881e6d8efa8d557e100a9

    SHA256

    c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23

    SHA512

    7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

  • memory/2648-27-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2812-25-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

  • memory/2812-28-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB