Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 01:22

General

  • Target

    33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe

  • Size

    78KB

  • MD5

    b0ec359e94b58d69c223e0ddf544c000

  • SHA1

    be2360bf717a87109b52995bd815b5b1d22f5d17

  • SHA256

    33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63d

  • SHA512

    ac7a5b1c0a44a830affea41673122a599765b9cdb3ae2b59bd1aaecbbcc6eb201b928831b4bf023bf5c8b59eb077c5b37caf6a2b6b864c720602ec04b09b879f

  • SSDEEP

    1536:5CHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtW9/61b8:5CHYnhASyRxvhTzXPvCbW2UW9/3

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
    "C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lwpzqo-n.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8180.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc817F.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2192
    • C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES8180.tmp

    Filesize

    1KB

    MD5

    b4e8f6fec0980ed5a45eef3f72dee0ee

    SHA1

    f454fd3e16788db690e848a9c787d3ad281bfe5b

    SHA256

    10de9482fce10fd095279bfc4fa2b1a2b294a949108d7b9c536577485ca07d3a

    SHA512

    655c196ba8a2e0e6e1e0408521f333dbc691b38c1c876111b71342cacc2d122ccc59723ab78e36d0a5b06d3e268c915c9836951bd01b589e9e13613ceb0e8552

  • C:\Users\Admin\AppData\Local\Temp\lwpzqo-n.0.vb

    Filesize

    15KB

    MD5

    77404c3c0f33987c51966a75afd02971

    SHA1

    b47758b30e0465e40ae7161b2cf44dc9ae0d32c8

    SHA256

    415c2ff0c91167dbdeb7666f44e188c3217268ec3567d55cc8c4d28c2e3863bb

    SHA512

    1630ff2f381c269463276e482ce8c9b3eaea965faf5a23b10e801ae203141a151710751d481e0db4a85f156cc7c3238f77c08b2f3d3833e38e4c4a2bfb5f497a

  • C:\Users\Admin\AppData\Local\Temp\lwpzqo-n.cmdline

    Filesize

    266B

    MD5

    9d22f4a9bd16a7b079412562e2f333be

    SHA1

    c723663b15f68dbbe4ece6e61e69c9c04a8b63c9

    SHA256

    7fa61916e5b36688634e1405a364133f8facb0ce6f2fe88b75df3aa84fb656ea

    SHA512

    a331267dedcb686dc4cd90be2f6732addc47a1c6fd4b5555bc5f3759b5482657803a877d720de0b52d80d71c92bb19138a566b71a4864bad6f69f0b952eba1fd

  • C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe

    Filesize

    78KB

    MD5

    e497f91feae79cb16bc4ab15d5ecc393

    SHA1

    4580cfd85204a055d1b6aa86e500228efdb29f4d

    SHA256

    2935e09ea34a1f824f770897326508f606e4f638bad7dfbf32422af9b657f270

    SHA512

    7579369c346b2a081a3f87218dc2ef602f8d0792fd74e24a31e4e36c912033e120115ef60b4868895d268f34a2b203ef8e2ec822c1309718e0b46bed49ce31a8

  • C:\Users\Admin\AppData\Local\Temp\vbc817F.tmp

    Filesize

    660B

    MD5

    5ed6e4251680e71252259243d980e1a1

    SHA1

    35137a557cc2d98a04ca205d310f5c3552522224

    SHA256

    f67ef881934ea7968081c558ea40bc00f2f221e0026c181fa0114213bef697a4

    SHA512

    62ec4f0b53d4a1229bf63fd299571d391dc3238e218cdc33dcb17827338782a9a2010075f0a29a98d5c6a7b6b291db0ba1a90a7f3cfae6ca9830f18758894c4a

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/1716-8-0x0000000074A80000-0x000000007502B000-memory.dmp

    Filesize

    5.7MB

  • memory/1716-18-0x0000000074A80000-0x000000007502B000-memory.dmp

    Filesize

    5.7MB

  • memory/2392-0-0x0000000074A81000-0x0000000074A82000-memory.dmp

    Filesize

    4KB

  • memory/2392-1-0x0000000074A80000-0x000000007502B000-memory.dmp

    Filesize

    5.7MB

  • memory/2392-2-0x0000000074A80000-0x000000007502B000-memory.dmp

    Filesize

    5.7MB

  • memory/2392-24-0x0000000074A80000-0x000000007502B000-memory.dmp

    Filesize

    5.7MB