Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
Resource
win10v2004-20240802-en
General
-
Target
33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
-
Size
78KB
-
MD5
b0ec359e94b58d69c223e0ddf544c000
-
SHA1
be2360bf717a87109b52995bd815b5b1d22f5d17
-
SHA256
33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63d
-
SHA512
ac7a5b1c0a44a830affea41673122a599765b9cdb3ae2b59bd1aaecbbcc6eb201b928831b4bf023bf5c8b59eb077c5b37caf6a2b6b864c720602ec04b09b879f
-
SSDEEP
1536:5CHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtW9/61b8:5CHYnhASyRxvhTzXPvCbW2UW9/3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2740 tmp8095.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2392 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 2392 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp8095.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8095.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2392 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe Token: SeDebugPrivilege 2740 tmp8095.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1716 2392 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 30 PID 2392 wrote to memory of 1716 2392 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 30 PID 2392 wrote to memory of 1716 2392 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 30 PID 2392 wrote to memory of 1716 2392 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 30 PID 1716 wrote to memory of 2192 1716 vbc.exe 32 PID 1716 wrote to memory of 2192 1716 vbc.exe 32 PID 1716 wrote to memory of 2192 1716 vbc.exe 32 PID 1716 wrote to memory of 2192 1716 vbc.exe 32 PID 2392 wrote to memory of 2740 2392 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 33 PID 2392 wrote to memory of 2740 2392 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 33 PID 2392 wrote to memory of 2740 2392 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 33 PID 2392 wrote to memory of 2740 2392 33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe"C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lwpzqo-n.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8180.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc817F.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2192
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4e8f6fec0980ed5a45eef3f72dee0ee
SHA1f454fd3e16788db690e848a9c787d3ad281bfe5b
SHA25610de9482fce10fd095279bfc4fa2b1a2b294a949108d7b9c536577485ca07d3a
SHA512655c196ba8a2e0e6e1e0408521f333dbc691b38c1c876111b71342cacc2d122ccc59723ab78e36d0a5b06d3e268c915c9836951bd01b589e9e13613ceb0e8552
-
Filesize
15KB
MD577404c3c0f33987c51966a75afd02971
SHA1b47758b30e0465e40ae7161b2cf44dc9ae0d32c8
SHA256415c2ff0c91167dbdeb7666f44e188c3217268ec3567d55cc8c4d28c2e3863bb
SHA5121630ff2f381c269463276e482ce8c9b3eaea965faf5a23b10e801ae203141a151710751d481e0db4a85f156cc7c3238f77c08b2f3d3833e38e4c4a2bfb5f497a
-
Filesize
266B
MD59d22f4a9bd16a7b079412562e2f333be
SHA1c723663b15f68dbbe4ece6e61e69c9c04a8b63c9
SHA2567fa61916e5b36688634e1405a364133f8facb0ce6f2fe88b75df3aa84fb656ea
SHA512a331267dedcb686dc4cd90be2f6732addc47a1c6fd4b5555bc5f3759b5482657803a877d720de0b52d80d71c92bb19138a566b71a4864bad6f69f0b952eba1fd
-
Filesize
78KB
MD5e497f91feae79cb16bc4ab15d5ecc393
SHA14580cfd85204a055d1b6aa86e500228efdb29f4d
SHA2562935e09ea34a1f824f770897326508f606e4f638bad7dfbf32422af9b657f270
SHA5127579369c346b2a081a3f87218dc2ef602f8d0792fd74e24a31e4e36c912033e120115ef60b4868895d268f34a2b203ef8e2ec822c1309718e0b46bed49ce31a8
-
Filesize
660B
MD55ed6e4251680e71252259243d980e1a1
SHA135137a557cc2d98a04ca205d310f5c3552522224
SHA256f67ef881934ea7968081c558ea40bc00f2f221e0026c181fa0114213bef697a4
SHA51262ec4f0b53d4a1229bf63fd299571d391dc3238e218cdc33dcb17827338782a9a2010075f0a29a98d5c6a7b6b291db0ba1a90a7f3cfae6ca9830f18758894c4a
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c