Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 02:00
Static task
static1
Behavioral task
behavioral1
Sample
7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Variabelforklaringen.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Variabelforklaringen.ps1
Resource
win10v2004-20241007-en
General
-
Target
7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe
-
Size
738KB
-
MD5
884358a9e9da158f576b7b7e42521d70
-
SHA1
a9d488b27fc2d65df89c1049c9cdf380e37e435f
-
SHA256
7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd
-
SHA512
630c905e255424dc8e54a8b945aaa5673e6ff25fe4e2f9713b73a3f5a622ff8f5d33bfc06ccecd85e5017bac27e31007c878acba32af509000a6c51fdaea0216
-
SSDEEP
12288:javPpBdFOdWbKSYQNGHkROyGOs61IYZVAecgs9FMa1Mdq8jJN:javzLDK+NjDGMIYO7MoON
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2932 powershell.exe 2844 powershell.exe -
Blocklisted process makes network request 10 IoCs
flow pid Process 21 4972 msiexec.exe 22 3844 msiexec.exe 24 4972 msiexec.exe 25 3844 msiexec.exe 32 4972 msiexec.exe 31 3844 msiexec.exe 34 3844 msiexec.exe 35 4972 msiexec.exe 37 3844 msiexec.exe 38 4972 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 20 drive.google.com 21 drive.google.com 22 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 3844 msiexec.exe 4972 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2932 powershell.exe 2844 powershell.exe 4972 msiexec.exe 3844 msiexec.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\Grubstaking.bro 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4476 3844 WerFault.exe 97 1536 4972 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2932 powershell.exe 2844 powershell.exe 2844 powershell.exe 2932 powershell.exe 2932 powershell.exe 2932 powershell.exe 2932 powershell.exe 2844 powershell.exe 2844 powershell.exe 2844 powershell.exe 2932 powershell.exe 2844 powershell.exe 2932 powershell.exe 2844 powershell.exe 2932 powershell.exe 2844 powershell.exe 2844 powershell.exe 2932 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2932 powershell.exe 2844 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeIncreaseQuotaPrivilege 2844 powershell.exe Token: SeSecurityPrivilege 2844 powershell.exe Token: SeTakeOwnershipPrivilege 2844 powershell.exe Token: SeLoadDriverPrivilege 2844 powershell.exe Token: SeSystemProfilePrivilege 2844 powershell.exe Token: SeSystemtimePrivilege 2844 powershell.exe Token: SeProfSingleProcessPrivilege 2844 powershell.exe Token: SeIncBasePriorityPrivilege 2844 powershell.exe Token: SeCreatePagefilePrivilege 2844 powershell.exe Token: SeBackupPrivilege 2844 powershell.exe Token: SeRestorePrivilege 2844 powershell.exe Token: SeShutdownPrivilege 2844 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeSystemEnvironmentPrivilege 2844 powershell.exe Token: SeRemoteShutdownPrivilege 2844 powershell.exe Token: SeUndockPrivilege 2844 powershell.exe Token: SeManageVolumePrivilege 2844 powershell.exe Token: 33 2844 powershell.exe Token: 34 2844 powershell.exe Token: 35 2844 powershell.exe Token: 36 2844 powershell.exe Token: SeIncreaseQuotaPrivilege 2932 powershell.exe Token: SeSecurityPrivilege 2932 powershell.exe Token: SeTakeOwnershipPrivilege 2932 powershell.exe Token: SeLoadDriverPrivilege 2932 powershell.exe Token: SeSystemProfilePrivilege 2932 powershell.exe Token: SeSystemtimePrivilege 2932 powershell.exe Token: SeProfSingleProcessPrivilege 2932 powershell.exe Token: SeIncBasePriorityPrivilege 2932 powershell.exe Token: SeCreatePagefilePrivilege 2932 powershell.exe Token: SeBackupPrivilege 2932 powershell.exe Token: SeRestorePrivilege 2932 powershell.exe Token: SeShutdownPrivilege 2932 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeSystemEnvironmentPrivilege 2932 powershell.exe Token: SeRemoteShutdownPrivilege 2932 powershell.exe Token: SeUndockPrivilege 2932 powershell.exe Token: SeManageVolumePrivilege 2932 powershell.exe Token: 33 2932 powershell.exe Token: 34 2932 powershell.exe Token: 35 2932 powershell.exe Token: 36 2932 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4984 wrote to memory of 2844 4984 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 85 PID 4984 wrote to memory of 2844 4984 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 85 PID 4984 wrote to memory of 2844 4984 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 85 PID 4984 wrote to memory of 2932 4984 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 87 PID 4984 wrote to memory of 2932 4984 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 87 PID 4984 wrote to memory of 2932 4984 7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe 87 PID 2932 wrote to memory of 4972 2932 powershell.exe 96 PID 2932 wrote to memory of 4972 2932 powershell.exe 96 PID 2932 wrote to memory of 4972 2932 powershell.exe 96 PID 2932 wrote to memory of 4972 2932 powershell.exe 96 PID 2844 wrote to memory of 3844 2844 powershell.exe 97 PID 2844 wrote to memory of 3844 2844 powershell.exe 97 PID 2844 wrote to memory of 3844 2844 powershell.exe 97 PID 2844 wrote to memory of 3844 2844 powershell.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe"C:\Users\Admin\AppData\Local\Temp\7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$supportable=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Variabelforklaringen.Adi';$Svinehundens=$supportable.SubString(52555,3);.$Svinehundens($supportable)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 16164⤵
- Program crash
PID:4476
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$supportable=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Variabelforklaringen.Adi';$Svinehundens=$supportable.SubString(52555,3);.$Svinehundens($supportable)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 19124⤵
- Program crash
PID:1536
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3844 -ip 38441⤵PID:2624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4972 -ip 49721⤵PID:5092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5c40af5b2b0b10e1e12809bdb72a79001
SHA13d6048a2e2773cb1526e491c72fdbf8f59f3df9c
SHA256477e1d75190f42629346b2ab0c2b1d5c7054749809a260795ac61d05e2a37df0
SHA512c0ff0b88136cec1a1973bf9c6ae2de0d35521bd6956e69460962c62d21445ba1956d2fd9f2983f5360667507a3a636383a31107ca4e3a14877274a39452eccd8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_831B21EC05D416A4ADB2370CD79ABCDD
Filesize471B
MD530b8219664afbb8d78a27969e8755ca1
SHA131e8ce9f55ef615280b21beb3eb5fb2f823f41df
SHA25691324c7e829db20de8d55d5a425c5ac46c5551023221d4e36e2b61218f30815a
SHA5125eb0d0d99460e54f69581cf35c20841efdabe17255d12b03e9f460dff723e8f2980b166fa9b71b6042034aa6b6fd2d7a70536dd1176bb13fb5981bcae14d4f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_CFDBFDB29AA6A71EBDC3E04CD6E276F4
Filesize472B
MD5a1f013adb9ec5f40524a6635540e628f
SHA176ed661478849d5bbe5c847d1e05f81becdd67dd
SHA256450676438e2163fea2e341a9756355502bc35acc46efc68264578dfa76b30ab2
SHA5129426895082573c3f5cf12b20b27f1733c64e9fe69757394e49f7491509a0b397c5bdf07bd0ae6ac8821640c7759ebe17725a8f507eb878fff7750c3c0b557c27
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD551b4057a32ae8e3a4033fb7f0398c72f
SHA1e670dc2963c54463187d4868e35bcbd48d7830e5
SHA256b97b53ca9df5cf75e3ec6411619c23974d9e63a0b0c116e770be08ae2d4185e5
SHA512af7a62e77483632f05a5ba3b2e8f03dd3175ad7c717817e1b52c56f0f00d8ab27e98477cad062526883b7d07d77e3c52a77104b34ec9989f5dd3f60cb09d225d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5124fccfd1f1b3f72685f4a722f7e79d1
SHA1c6852f05ecb7b9798dd1d68e1e3f80365fc7ace1
SHA256c88717278ae777093032d490ebb6bb5d32e028293a835554fab6d94e87e10b83
SHA5129c1e706dc6f0e5c8ade9f537dbe915835a4f5b099ef6b44482e02e143179cdb0dbba5086f0fec71d7f2f64f21ee563243ab0515d802df5a807f652c8a5434c1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_831B21EC05D416A4ADB2370CD79ABCDD
Filesize402B
MD5be490e40486a92eb2483f7b708a8f9fd
SHA14921505d800a80bd074c089bf9df16e78c21ffe8
SHA25624d4552185343054fa34f00d11cbd1531f09a5a19553cf39eceff1f8bda528b7
SHA512f5279f1d85e4be52d00e4014e5d93f37dd846f085748090bfdaae36ec2ee8d3a2938b52928b21fceb1a32fefe51ee801b117e3a00ed20ef42f967b6b3ba9ef38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_CFDBFDB29AA6A71EBDC3E04CD6E276F4
Filesize398B
MD5a7ad2bd4dbc645c1ebfb66c51627d929
SHA1566f8b437b691e12cd127f0b83c579c6feb834ff
SHA256c40dd0f2cd9e6ded3b4805383c2195de565c445603d4eb0d45f4a90c25919318
SHA512e58d702c126741a34af57d33ab4d6a1867be31efc71d270dbf8fe72b8c3b808d456dbf2c75954dcaaa478206a9bd2f02bb1618dceb94d64b3bd1f36401a61612
-
Filesize
53KB
MD501404e51f6442f60e478c306b1e6e52e
SHA137f234ccf5611b8309023410ceb9e76ad81f5678
SHA256d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b
SHA51294a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
51KB
MD5b38fc73651b54a201ea1815e9fbdb7e1
SHA111dcb7973511a7f58eacd0c6b519d4c57b843ece
SHA2563cd2de55689d75d77cd308184060364fcf48b990e025e918233e528a3373a27b
SHA5120e6055ab2c490f2c67184e3dea070f6b0d9cd0e557e1c51d792da53c4674d844d8d5c9a5dd036261437db2bb7b8b8e0425168ac143da01b2b1ce116540989b1d
-
Filesize
293KB
MD5b334b379bb91d8c85290f62fd3a73c61
SHA184463e42d1eb3bd86807dc9f7e8d988ed63e07f8
SHA256d01bd6f6fe065a0c2fb2835355a216ff0062ab802ed9da33d56ecea72f5aa444
SHA51202d2d0a0579158c415f5b43dc104883cee88bfd7f77a70185d15c45219bff2148afec80d0d7150d301ca1e65637159b75b646af98a88e2e0b9a45567cbde04bc