Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/12/2024, 21:35
Static task
static1
Behavioral task
behavioral1
Sample
b2c04bb4-1039-4836-bca6-bd4211df1190.exe
Resource
win7-20240903-en
General
-
Target
b2c04bb4-1039-4836-bca6-bd4211df1190.exe
-
Size
524KB
-
MD5
81ffddf2c1d7905204a67f6577e2dc68
-
SHA1
a89c37a3e12a46ac714887d509a1849791b4b244
-
SHA256
5713df54ae15a1a47a87436d1c7ddc06338f9c31276880d6d2ae29d2655313e7
-
SHA512
b871a001fa251a9af36788ceda94ece6772a5f318120db5cada7643e66da7978d0a0f373ab271c15b45a0947f1161ee60284c0621e25e07ea81864a3c8945e4a
-
SSDEEP
6144:dLeno+U3zituONCfDq/ib4IKEQwpUgQ/Fn7r+DHZ8q6PTZKWCaYVZ6qXW4bPwDJr:sRC+ab4aQlhFnPA81X/Y1cNm+1v6pP
Malware Config
Extracted
nanocore
1.2.2.0
original-financial.gl.at.ply.gg:28916
d516db18-d565-4fff-a872-0ad0fd1f18ca
-
activate_away_mode
true
-
backup_connection_host
original-financial.gl.at.ply.gg
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-09-13T19:32:56.304391136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
28916
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d516db18-d565-4fff-a872-0ad0fd1f18ca
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Nanocore family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1012 powershell.exe 3024 powershell.exe -
Executes dropped EXE 4 IoCs
pid Process 1952 111111111111111111111111111111111111.exe 2392 injection.exe 876 Setup.exe 2128 wlanext.exe -
Loads dropped DLL 3 IoCs
pid Process 876 Setup.exe 876 Setup.exe 876 Setup.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 111111111111111111111111111111111111.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wlanext.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 9 discord.com 8 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 111111111111111111111111111111111111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1952 111111111111111111111111111111111111.exe 1952 111111111111111111111111111111111111.exe 1952 111111111111111111111111111111111111.exe 1952 111111111111111111111111111111111111.exe 1952 111111111111111111111111111111111111.exe 1952 111111111111111111111111111111111111.exe 1012 powershell.exe 3024 powershell.exe 1952 111111111111111111111111111111111111.exe 1952 111111111111111111111111111111111111.exe 1952 111111111111111111111111111111111111.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1952 111111111111111111111111111111111111.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2392 injection.exe Token: SeDebugPrivilege 1952 111111111111111111111111111111111111.exe Token: SeBackupPrivilege 2628 vssvc.exe Token: SeRestorePrivilege 2628 vssvc.exe Token: SeAuditPrivilege 2628 vssvc.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2128 wlanext.exe Token: SeDebugPrivilege 2128 wlanext.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2124 wrote to memory of 1952 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 30 PID 2124 wrote to memory of 1952 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 30 PID 2124 wrote to memory of 1952 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 30 PID 2124 wrote to memory of 1952 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 30 PID 2124 wrote to memory of 2392 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 31 PID 2124 wrote to memory of 2392 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 31 PID 2124 wrote to memory of 2392 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 31 PID 2124 wrote to memory of 876 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 32 PID 2124 wrote to memory of 876 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 32 PID 2124 wrote to memory of 876 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 32 PID 2124 wrote to memory of 876 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 32 PID 2124 wrote to memory of 876 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 32 PID 2124 wrote to memory of 876 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 32 PID 2124 wrote to memory of 876 2124 b2c04bb4-1039-4836-bca6-bd4211df1190.exe 32 PID 2392 wrote to memory of 1012 2392 injection.exe 37 PID 2392 wrote to memory of 1012 2392 injection.exe 37 PID 2392 wrote to memory of 1012 2392 injection.exe 37 PID 2392 wrote to memory of 3024 2392 injection.exe 39 PID 2392 wrote to memory of 3024 2392 injection.exe 39 PID 2392 wrote to memory of 3024 2392 injection.exe 39 PID 836 wrote to memory of 2128 836 taskeng.exe 43 PID 836 wrote to memory of 2128 836 taskeng.exe 43 PID 836 wrote to memory of 2128 836 taskeng.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2c04bb4-1039-4836-bca6-bd4211df1190.exe"C:\Users\Admin\AppData\Local\Temp\b2c04bb4-1039-4836-bca6-bd4211df1190.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\injection.exe"C:\Users\Admin\AppData\Local\Temp\injection.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wlanext.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlanext.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:876
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
C:\Windows\system32\taskeng.exetaskeng.exe {F17B1DB5-9529-40D8-9BE1-F727B7E1BE9F} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Roaming\wlanext.exeC:\Users\Admin\AppData\Roaming\wlanext.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD59258d024ee6fbfe283978e89e25cbc50
SHA1123f1309dbc98824ec2ebb12f9883a07b873820e
SHA256392a00e29a7305ead657c6c10d80b446f8b6bfe25a171e63e43439695f40410a
SHA512993b2a16cfdc8dbd99753349f923a6baf1e801f79d7fb6aa39e15f617b4f798f355a9edddc9e7579ece562e1c254299e974ac46e70efe576a0985554fec15913
-
Filesize
124KB
MD5fb47cb26a0c7480148a8d0c8f8e01be1
SHA1bff6e89f3f724f79b136a4af7e6be03ff8d945e8
SHA256255472e23f31eebe810f217212bf9caa39a30cac423dbe9893b554308da7db4b
SHA51259bf831d10f9b2787e8152c2eea2abc8d131a9b45986da21d0cd6b38b43907becad39c332ed2c251bb3c28c14bfa022a7635487230a1f8643fb7ac20f1518ee7
-
Filesize
399KB
MD5153deb0e0ffc0b476d5bba8a69778dde
SHA14ef44b30281e61ffdb74c4b3c0ec5e5bab8fa08f
SHA2564ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607
SHA51200f58ffa67c2ee992f1904a3a923e80ee350956b4690eadd9dbfa8b4e6897ab4d598493f1bca3781cca0849184a3a40f21424efcc3e90d436d76540da5a89bf4
-
Filesize
248B
MD5061e700fe27d852034a5a44bf5985ccf
SHA115b072de6d6fdd92ae36f074345fa41985833e8d
SHA2564bbb88af530693eb4a710b0591d4baf585837242c5690f5a821bf2fc9cc587cd
SHA512cf6c5458ab50c859740490985d1e7e887d1116f3fa947ff2ec49af9997a42f3402c63ef42b93498544195d9859fbb19ccc295966564b30f5adb4a36d4e8886c6
-
Filesize
8B
MD5512d3a063e609f65ae9554749835b65e
SHA1348d7f4bac538351dba1b5287c0161480d2b754c
SHA2569454e04f1fed6d5ad100d5707f3b6f1e25040a0d1320569226691663edc426e4
SHA51285120d1d575372bf001e37472c249dbfea6416d2fdc98dda7f9ba5ed6c8848b249d872e66aba26def5f3a5da1027ef515bfab2bc1d1059172adbeae49af3a84b
-
Filesize
423KB
MD57f0642b40d7f2ee4cf9d08601762f280
SHA1db0a55e900fb8ab637f84815e8100de9ba391810
SHA256e6a52cf6101cd8a5b0b276ba0507ab1fa3203267b842c4534f28f37ada40c02a
SHA512108eb480e9ad78b3dd9783ed536b1406eb390f10cafe0e95f26da86d08b4e006fffce8ea389f87f4e6d92b0bfda20ea8fd0bd6094d7e6ea773807d0adbe1c2e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IWJWJU2QW0U0R9OKLZ29.temp
Filesize7KB
MD52cd9305c912a4bad7d43a01badfafc28
SHA1841e627ae94f2dd907bd35d7990e5ebad115762a
SHA2568f3f310c71919fee2f4a8a3e8921a872c505391d3c54f382d8ce331afe98d22a
SHA5120978c20aa88e6d011c6959971bd748a8ab248bb609bcfc6ce21bcb7f47490f87896dd0e6c434605a279c403d97b12a2f7eaf17ce0911f90d42ccc02df634a638