Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 18:39

General

  • Target

    5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe

  • Size

    4.5MB

  • MD5

    6eb0f8cdd3f2708b5fc8bdf2dadca602

  • SHA1

    8e2be55f6ae18e9e091619d632c35f6897784a42

  • SHA256

    5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce

  • SHA512

    6a40ae445e0722e5de5306362904dc663e529c8d69aa9437804476c23de8b37e85ab38ba75404d96062dbc4d79dbd164976aec51b95b7982084fb1b266c2bba5

  • SSDEEP

    98304:/XrHQcsibw8SPLeTtSQo5Z8DERxrfExYzbRKHIrH/92BQ6ZyF:frwcXMHLKy6txWRK+H/926Yy

Malware Config

Extracted

Family

cobaltstrike

C2

http://192.168.14.128:443/u6z8

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;NLNL)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Loads dropped DLL 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
    "C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe
      "C:\Users\Admin\AppData\Local\Temp\5fdb322fcb6b0236f59c3609e8aeff91a21d7020bd47d3c577cdd1d56cb2c4ce.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:412
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 624
        3⤵
        • Program crash
        PID:1332
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 412 -ip 412
    1⤵
      PID:1004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_MEI42202\Crypto.Cipher._AES.pyd

      Filesize

      29KB

      MD5

      3c4ab2e06feb6e4ca1b7a1244055671a

      SHA1

      a4c3c44b45248b7cf53881e6d8efa8d557e100a9

      SHA256

      c7e4194470a677304fad05c771654e6986c32bc29a04c3c4c52594172d83cb23

      SHA512

      7531b4ecf3c2a37b33b790e403cf69c6c90c33b0236ad65996fad6e5fdd0e831935126ed96026f612d6fdd2847f2d7b01823f49fbdbd8c95b434fbdd9aaf557c

    • C:\Users\Admin\AppData\Local\Temp\_MEI42202\MSVCR100.dll

      Filesize

      755KB

      MD5

      bf38660a9125935658cfa3e53fdc7d65

      SHA1

      0b51fb415ec89848f339f8989d323bea722bfd70

      SHA256

      60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

      SHA512

      25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

    • C:\Users\Admin\AppData\Local\Temp\_MEI42202\_ctypes.pyd

      Filesize

      83KB

      MD5

      5d1bc1be2f02b4a2890e921af15190d2

      SHA1

      057c88438b40cd8e73554274171341244f107139

      SHA256

      97c3cdef6d28ad19c0dacff15dd66f874fe73c8767d88f3bc7c0bde794d857da

      SHA512

      9751f471312dd5a24f4a7f25b192ddcb64d28a332ff66f3aa2c3f7ef69127cf14c93043350397e9f884f1830f51d5e01214e82627158d37ef95ce4746a83bbd9

    • C:\Users\Admin\AppData\Local\Temp\_MEI42202\base_library.zip

      Filesize

      717KB

      MD5

      d6d034e1af968d134b3cc4477b623069

      SHA1

      6eb0fc22dc6360177956e0884241b94b68f69ee7

      SHA256

      63f31b4c43a469971854a1d1eae5516f8d0ccdcd3d0566a84b2496c25a28de44

      SHA512

      e45c32d209ab14a328c843d06958ce0f35c9ef2f52e5e8d47fbd0caa4b89eb3388d03497f973ee73aaf73ee3be3327942a6202a7934d818261c5b29965de94bb

    • C:\Users\Admin\AppData\Local\Temp\_MEI42202\python34.dll

      Filesize

      2.6MB

      MD5

      96f7167b725a27b3bd4766a89c4b4305

      SHA1

      39a1d7e1648adce5740a1976211724cf87792b9e

      SHA256

      30ab1713ca7cbbee7227bf50db4d1415654eb81ea0a16134f37dc11a746d9f92

      SHA512

      3d7ce22c29956f7f1c001ab86298485987d2b1dc5f52d5eb5b7dd21c21d88d00849163f684c01141b77ed387bc32733d26da79cc81a2d01f0d2f5d9ec8c5441a

    • C:\Users\Admin\AppData\Local\Temp\_MEI42202\test.exe.manifest

      Filesize

      1KB

      MD5

      0995942e0c238d67de452a3b2c1db5a9

      SHA1

      ac9fdb353e74a3de2c1024c6d6a068fef7860328

      SHA256

      4801e45f989133f5dfb453fd3e31ff512043dc89b099b64faf55f78724e7518d

      SHA512

      e97e43d6d3f14e00835be72e78e3e29a0632a47c4057c3a7340780f6761f6643793c8427d997446a3152a8b2fc5133ea9065b554e2321d216f9f7df34a16a35e

    • memory/412-25-0x0000000002410000-0x0000000002411000-memory.dmp

      Filesize

      4KB

    • memory/412-28-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/4220-38-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB