Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2024, 02:20

General

  • Target

    c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe

  • Size

    78KB

  • MD5

    3fe92d6af27ec0dd0fc474939a8c3ab6

  • SHA1

    b355cbcaccc68da313d7513da35c96091328d6a5

  • SHA256

    c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a

  • SHA512

    3725be1320c9b7fb653f5392a9249895828fa7b63d58454695f5173e3e1c5ea7445d2bc15179d55e88c92eb4a93cf4ea546204f0616c11c5148bc4e6d527d405

  • SSDEEP

    1536:sWtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteG9/s1Re:sWtHYnhASyRxvhTzXPvCbW2UeG9/p

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
    "C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\obwy-8-x.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB8F3.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2532
    • C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB8F4.tmp

    Filesize

    1KB

    MD5

    c07bbd1c4e2b5b89042489e4c172527a

    SHA1

    3b0fe5b268615badcb3632b206e015c6c6de75e3

    SHA256

    cd6599aebd3bebca10ae6f29be69599a9c970e08ad5b6df9164f9bd8727e5842

    SHA512

    dfd29f9ac2649f7fcbcd0159ed5a19e56e31f7904db113623be313b48cea5781da69f528dc7d02798da9f686d713b91c0835aa8d6b5a0cdc6928ab9ed75f35c4

  • C:\Users\Admin\AppData\Local\Temp\obwy-8-x.0.vb

    Filesize

    15KB

    MD5

    e29ab1b0934d20f7abc9cacedb2a0310

    SHA1

    ec477d46793ab10ddce3000a0ad68ed964bb8bd6

    SHA256

    bc6e59581bdff21477b3f8e19ed85c41a49daa72dc18699c374ff4a9f43e3b17

    SHA512

    04577be96aab122eb840519138aca535981dc2eb3c6c738186c9e936af3263963392b06d7ff9be741b8d44ad0f55fa71aa3c7f3a9a49df0fc33ad6210586ef43

  • C:\Users\Admin\AppData\Local\Temp\obwy-8-x.cmdline

    Filesize

    266B

    MD5

    ea6b5c63e7dff0fe241c3090750b3c83

    SHA1

    1ad12d0edd1a29973c1c54fc1df2a3665ac5fe3e

    SHA256

    4e6b192d9227dd5903a2bfb3fd68ec7ecc276e8cd77617f72b7ec009c1dc9ef0

    SHA512

    d5c3362e1a7ac669c1aa7087945866f3f63ac2732228bf9712bd5b5ad82a0bcda6bc0e12d34904b0e69e1ffcf82fcaf4ea93317126309500cab9227381901d44

  • C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.exe

    Filesize

    78KB

    MD5

    98873f757dc74f58105b3fe50e6be15e

    SHA1

    ada9ca13406ae2c7ef4249115cd7dfe0f0c7e290

    SHA256

    e267217953534d89149b9f4bf60b4a72aa56073366caa6a4fa9eb280bb8836bc

    SHA512

    dc895fdd34a85e318730b707a68e673a068d3c90cfe35e8dee2b8dbfebb453850a2a3120b78f772f2cdc790045d534fbe78d8223b3e0bef31004bbbdc9876feb

  • C:\Users\Admin\AppData\Local\Temp\vbcB8F3.tmp

    Filesize

    660B

    MD5

    fc0fce039dd9b02e635cd63caaeb267f

    SHA1

    7c31cc180a7f8a37479f52764c4f5328be303f65

    SHA256

    e7a52a15a201a1005762ae2addeb05dbcd44937679f1270682d1cea773286ce7

    SHA512

    7d02989efb9fabc9bbf5d765329fdffe8a0b6afccfb04f732e89587dad27a78d2169baa53a12c0a7823d2f79a78c83d3913a8aea37e701208d3aa2afbbe7ae1a

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/2328-8-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/2328-18-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/2520-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

    Filesize

    4KB

  • memory/2520-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/2520-5-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB

  • memory/2520-24-0x0000000074BC0000-0x000000007516B000-memory.dmp

    Filesize

    5.7MB