Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/10/2024, 02:20
Static task
static1
Behavioral task
behavioral1
Sample
c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
Resource
win10v2004-20241007-en
General
-
Target
c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
-
Size
78KB
-
MD5
3fe92d6af27ec0dd0fc474939a8c3ab6
-
SHA1
b355cbcaccc68da313d7513da35c96091328d6a5
-
SHA256
c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a
-
SHA512
3725be1320c9b7fb653f5392a9249895828fa7b63d58454695f5173e3e1c5ea7445d2bc15179d55e88c92eb4a93cf4ea546204f0616c11c5148bc4e6d527d405
-
SSDEEP
1536:sWtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteG9/s1Re:sWtHYnhASyRxvhTzXPvCbW2UeG9/p
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1940 tmpB77D.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2520 c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe 2520 c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpB77D.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB77D.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2520 c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe Token: SeDebugPrivilege 1940 tmpB77D.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2328 2520 c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe 30 PID 2520 wrote to memory of 2328 2520 c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe 30 PID 2520 wrote to memory of 2328 2520 c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe 30 PID 2520 wrote to memory of 2328 2520 c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe 30 PID 2328 wrote to memory of 2532 2328 vbc.exe 32 PID 2328 wrote to memory of 2532 2328 vbc.exe 32 PID 2328 wrote to memory of 2532 2328 vbc.exe 32 PID 2328 wrote to memory of 2532 2328 vbc.exe 32 PID 2520 wrote to memory of 1940 2520 c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe 33 PID 2520 wrote to memory of 1940 2520 c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe 33 PID 2520 wrote to memory of 1940 2520 c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe 33 PID 2520 wrote to memory of 1940 2520 c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe"C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\obwy-8-x.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB8F3.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2532
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c07bbd1c4e2b5b89042489e4c172527a
SHA13b0fe5b268615badcb3632b206e015c6c6de75e3
SHA256cd6599aebd3bebca10ae6f29be69599a9c970e08ad5b6df9164f9bd8727e5842
SHA512dfd29f9ac2649f7fcbcd0159ed5a19e56e31f7904db113623be313b48cea5781da69f528dc7d02798da9f686d713b91c0835aa8d6b5a0cdc6928ab9ed75f35c4
-
Filesize
15KB
MD5e29ab1b0934d20f7abc9cacedb2a0310
SHA1ec477d46793ab10ddce3000a0ad68ed964bb8bd6
SHA256bc6e59581bdff21477b3f8e19ed85c41a49daa72dc18699c374ff4a9f43e3b17
SHA51204577be96aab122eb840519138aca535981dc2eb3c6c738186c9e936af3263963392b06d7ff9be741b8d44ad0f55fa71aa3c7f3a9a49df0fc33ad6210586ef43
-
Filesize
266B
MD5ea6b5c63e7dff0fe241c3090750b3c83
SHA11ad12d0edd1a29973c1c54fc1df2a3665ac5fe3e
SHA2564e6b192d9227dd5903a2bfb3fd68ec7ecc276e8cd77617f72b7ec009c1dc9ef0
SHA512d5c3362e1a7ac669c1aa7087945866f3f63ac2732228bf9712bd5b5ad82a0bcda6bc0e12d34904b0e69e1ffcf82fcaf4ea93317126309500cab9227381901d44
-
Filesize
78KB
MD598873f757dc74f58105b3fe50e6be15e
SHA1ada9ca13406ae2c7ef4249115cd7dfe0f0c7e290
SHA256e267217953534d89149b9f4bf60b4a72aa56073366caa6a4fa9eb280bb8836bc
SHA512dc895fdd34a85e318730b707a68e673a068d3c90cfe35e8dee2b8dbfebb453850a2a3120b78f772f2cdc790045d534fbe78d8223b3e0bef31004bbbdc9876feb
-
Filesize
660B
MD5fc0fce039dd9b02e635cd63caaeb267f
SHA17c31cc180a7f8a37479f52764c4f5328be303f65
SHA256e7a52a15a201a1005762ae2addeb05dbcd44937679f1270682d1cea773286ce7
SHA5127d02989efb9fabc9bbf5d765329fdffe8a0b6afccfb04f732e89587dad27a78d2169baa53a12c0a7823d2f79a78c83d3913a8aea37e701208d3aa2afbbe7ae1a
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c