Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 12:59
Static task
static1
Behavioral task
behavioral1
Sample
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
Resource
win10v2004-20240910-en
General
-
Target
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe
-
Size
78KB
-
MD5
864d51ebd98fba435ff1c57c5696c760
-
SHA1
9420d56ef6166d7ab5306904e580d31d68d6aee0
-
SHA256
a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611
-
SHA512
3e8afbacf784128e168e3929f4f4a937276dd3e7098f46e2c44ff73b1232ef8b65ed0567285f65fb64b297549f9247deaf5234b3df0f4fbb9ea522f3294ebe72
-
SSDEEP
1536:bmCHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLa9/J1zk:KCH/3ZAtWDDILJLovbicqOq3o+nLa9/c
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2976 tmp950F.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2976 tmp950F.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1288 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 1288 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmp950F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp950F.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1288 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe Token: SeDebugPrivilege 2976 tmp950F.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1288 wrote to memory of 2136 1288 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 28 PID 1288 wrote to memory of 2136 1288 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 28 PID 1288 wrote to memory of 2136 1288 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 28 PID 1288 wrote to memory of 2136 1288 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 28 PID 2136 wrote to memory of 1696 2136 vbc.exe 30 PID 2136 wrote to memory of 1696 2136 vbc.exe 30 PID 2136 wrote to memory of 1696 2136 vbc.exe 30 PID 2136 wrote to memory of 1696 2136 vbc.exe 30 PID 1288 wrote to memory of 2976 1288 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 31 PID 1288 wrote to memory of 2976 1288 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 31 PID 1288 wrote to memory of 2976 1288 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 31 PID 1288 wrote to memory of 2976 1288 a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe"C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\guw-ka-b.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9619.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9618.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1696
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp950F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp950F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6dc10c08ecaf40db65fdcdfc4839f487257f3bf9db44cfca62d9fa76f49f611N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d855964020eb973535f3895aee9fc6bf
SHA1585c1d1005ea5cbfa1889f9fff4ba839a3509121
SHA256696ec40c7515217e3ba6bdf1d790416624df576ce755c0d9fa1346f3638b4298
SHA5122ab212badea32b29719e70540b95a12c253672680e5c329bb86058715d7d73eee3aa7b8ce670ebf3303b85632b8710a2931710d00865de1138c6be53251051b2
-
Filesize
15KB
MD5cba3f77ab449e6b693d81d1a9737c927
SHA136534d2876329b03244828be38527f5f99bf623d
SHA25682902d9a3084dc33586d124fcb6f902739c5db7e4f6f295df9f90d423483fb58
SHA51296663e186df9d99d3f0595dd4d0f9bb801e7f7ddaeaad8ffc3b418b6f27b209f44ebeed10c9ec884394cc99ef35e043bd1d9a4f4cb3f17a7ba963f1ef96cc77f
-
Filesize
266B
MD5ecc8fb6f6654345549dadd518f4eb3c6
SHA1b8da19245ff194f6e007dcf304d0c247f007086d
SHA256d2586e9ffea00346cc92227eaecae62a3e6eb151e5fd63a08ff47598f87cdc87
SHA5123fa0c76359da3570e48ac33b93d01705eeb87681fb79cf95011c94678b133f9ef36cf0f78a4f84a4c559fd4f19b6e64b51e4f7247bc978f605f3eeff2cf262de
-
Filesize
78KB
MD5b799331cfa209305d39983e0e5ce4618
SHA12c6f46f2e7dbe9f9db3d9d67cf86cbddfdc68d51
SHA2563312641bb3b619958312f5ff841bd59e7efab4319344c4722ee952a3cec351f4
SHA512473a2a43d2e449902a7b463dd262a4b2f0543cea21aab60cb47bd7415d119c316f8e75ce8576abc1d160bc2f42093acc923b4b6d2f72f89ddc5e39806401a319
-
Filesize
660B
MD5d492c2c6d76ca0c6bdc507b4a5674649
SHA1a23d56c838c52e0a2b2174dd87e4301ccdb59c03
SHA2567c5b931dcfdca1bff35f11ed78dd60003c9907f4ce9b8fefbb0a5a4dfe85491b
SHA5122bed33b033ca0a8f7d76d29eb6df37e28979f40787e440aaa55ea11d0cf09718eb171a1d307f62961cf80b4585d550f75d946b74a47448020f81289faeabe34f
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c