Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 16:30
Static task
static1
Behavioral task
behavioral1
Sample
79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe
Resource
win10v2004-20241007-en
General
-
Target
79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe
-
Size
78KB
-
MD5
83abbc2fa12cce90a34623228d1cf060
-
SHA1
ccdefc4083b6f4a01cc9b5647a5a5555942794d6
-
SHA256
79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78
-
SHA512
0c8b8deb59d1a9aa400a2ed6e20bb4dac18912b7aec6f5cbf00b78e663b556692da17f1bc8c8ef3fcd1bf4587a85dc640a3a9d91aa438e9b179a805dd1a1c92d
-
SSDEEP
1536:9MV55AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtW6ta9/k1Va:WV55AtWDDILJLovbicqOq3o+nw9/J
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2096 tmpE080.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2592 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe 2592 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmpE080.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE080.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2592 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe Token: SeDebugPrivilege 2096 tmpE080.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2236 2592 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe 30 PID 2592 wrote to memory of 2236 2592 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe 30 PID 2592 wrote to memory of 2236 2592 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe 30 PID 2592 wrote to memory of 2236 2592 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe 30 PID 2236 wrote to memory of 2888 2236 vbc.exe 32 PID 2236 wrote to memory of 2888 2236 vbc.exe 32 PID 2236 wrote to memory of 2888 2236 vbc.exe 32 PID 2236 wrote to memory of 2888 2236 vbc.exe 32 PID 2592 wrote to memory of 2096 2592 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe 33 PID 2592 wrote to memory of 2096 2592 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe 33 PID 2592 wrote to memory of 2096 2592 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe 33 PID 2592 wrote to memory of 2096 2592 79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe"C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h-zcduz1.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3CA.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2888
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE080.tmp.exe" C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD527f87a2997031f2648f213b06c90e069
SHA1bf1f763b8d4e9c112afaff1067786b2514cfec2a
SHA256949aa95173884369733eaf092fb394104d2294b2ecd01bb0d8c7c218b0c52c29
SHA512db95ea245664de3fe72663369c8d71090986a5f1d83648f7b69c8075a3eeebb375b7b19b37974db1bf836594d8311a0d8a835aed5132c2125fb448a1d7a4f91b
-
Filesize
14KB
MD5b52caa88377c43f99aa5dc03421017d8
SHA136f1df4497a59005f891a0e1df1a13f1ed80f4b9
SHA2564e21eb92d0c2b10dc1221f259e5e8eafc622f1381c167acbb4dd6b7c3fbdc8b4
SHA512d6ccb9a63fd7c55593ceeb198b680a7f813465a0ebb18c51666229d551b708d2d64975f4faeb1299fc82334e9a17da579ec992b8677ae2607e60d46d70b8079d
-
Filesize
266B
MD5dc2131c6d37380fc7f85a889c600e934
SHA166a212bd740c5dfc8b723c35aaba75f0da0ec3ae
SHA256b2a99e26e10fbfdb54027828e073e4cc240a0a71075ff1128e9f076a5ce0b19d
SHA5123c10f8edd720dd71a032756c32685ad375394742ac6607aaddf4adfedd785df421519e0082efcbd775cad372d2f730f98ebc585e4f840c0ad0ca4f6247fb0a7b
-
Filesize
78KB
MD5c84c1032b75b7f8d96ba99834ba0340f
SHA14c66ce7ba7cc80f0261dfa1ecf18c3b73a5c097f
SHA256303b733ba5fb639dc23f8d70d64840b9728091999a9088e173c2e7d9d54f92c3
SHA512c38d9a71aeb2d5d361338f613c36aa8d3a9c5f33d8345d1da04cb1168a19d28d6092b770ab0e3a40d218efb02aeb9a803b44b177d792229c0191f2e4895fd3db
-
Filesize
660B
MD5a9bf8a338e44936152cdbe18d49a8460
SHA15af5a9684a59910976424e32a3c1d4b89021e6bd
SHA25666147ee47b1c0ed25f548af4133fc372a849f2c91cf8404e6522ed957be96d50
SHA512731947c4b4af2055f1c46a701e0632b5a4fbfc2aae70211f045f1d62fd4272f492c74428ac37aff0834e18c1664d99b05283c82b1b25f4723944e6c0d07e0958
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c