Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2024-12-10...ch.exe

windows7-x64

6

2024-12-10...ch.exe

windows10-2004-x64

3

Resubmissions

10/12/2024, 23:07

241210-23yl5atpct 10

10/12/2024, 21:23

241210-z8x7fazkfv 10

Analysis

  • max time kernel
    57s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    10/12/2024, 23:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-10_9d96bcb8b2602cda10803ef6e69692fa_cobalt-strike_cobaltstrike_poet-rat_snatch.exe

  • Size

    5.0MB

  • MD5

    9d96bcb8b2602cda10803ef6e69692fa

  • SHA1

    1770e3b509c114a66b181b9214e14b1bad5759ae

  • SHA256

    e28bd9bb817bc56f4a93384aa0059d2c3e5a083d8b3f071223e2bcfa00aee3ff

  • SHA512

    86fcf6a1b00f52a48978dca8851e47fb252e7d49019e73dcf1a8f773eb6d829e3588143e44c3a4b6c82b6571f4563f616b12a8c9ae12cc1bf4efca6ca7763e4f

  • SSDEEP

    49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6liK1uOCeXvpnu:r56utgpPFotBER/mQ32lU0

Score
6/10
discovery

Malware Config

Signatures

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-10_9d96bcb8b2602cda10803ef6e69692fa_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-10_9d96bcb8b2602cda10803ef6e69692fa_cobalt-strike_cobaltstrike_poet-rat_snatch.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    PID:376
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:3000
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1272
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
        1⤵
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Program Files (x86)\Windows Media Player\wmpshare.exe
          "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2036

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{597BF30A-61BF-4487-9266-8D09F6AC7964}.jpg
        Filesize

        23KB

        MD5

        fd5fd28e41676618aac733b243ad54db

        SHA1

        b2d69ad6a2e22c30ef1806ac4f990790c3b44763

        SHA256

        a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

        SHA512

        4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{DDB95087-6122-4FB0-9DF3-E87E9085AB86}.jpg
        Filesize

        22KB

        MD5

        35e787587cd3fa8ed360036c9fca3df2

        SHA1

        84c76a25c6fe336f6559c033917a4c327279886d

        SHA256

        98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

        SHA512

        aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabB167.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarB189.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\Desktop\CompleteHide.xltm
        Filesize

        200KB

        MD5

        8fe043696a932c38cb6fddf6db2dabe3

        SHA1

        d65e1117853cbe4d8abe705506fe86db25820ebe

        SHA256

        d3baeeef03c8869f50d7c19b9d1d671d39330ba8cd62d7d418c9afcd4b2cf0dd

        SHA512

        288806694738696827fa6c197b8efe14341a226c674b8116fda056bf6f7004376a6ba3dc91ab896feceec5fdebf209a0eeee7bd38b913fde9ec952c86284358a

        Download Submit

      • C:\Users\Admin\Desktop\ConvertFromRequest.m1v
        Filesize

        127KB

        MD5

        1099be41356e5feb02e24929187404fb

        SHA1

        d750dbcfe0e0e86eb106266af76dc156f7832428

        SHA256

        cf748d95b580771e02a6ce1e04abce5afa9431c07ac49173d24b7be1525ec50b

        SHA512

        1956bb7efe5bd78d58ad9f04d785974646d4f9f52c7effd74a9dd4f10ce3bfbc2151fe6b02b0e55fc27724388e4fad84880256cdd370c0a3242641678b781586

        Download Submit

      • C:\Users\Admin\Desktop\ConvertResume.bin
        Filesize

        113KB

        MD5

        064d4551699a11c63125fbadc493bab8

        SHA1

        a51a1ef599317cfe0ca41cb65a3aedf8b64b0209

        SHA256

        0c8b5c8c5c66b497c5bd5814c991d25551d552744e921e710c9d2139222b6502

        SHA512

        b41e64e0dd514df5f76e3ab58e3bfe141d94d78af0687233c7873f07253b52dd923c97f2808be41d756140e2fba8d657ad0d8a23a6150f6f947565e3b7b6cbc4

        Download Submit

      • C:\Users\Admin\Desktop\EnableBlock.emf
        Filesize

        164KB

        MD5

        5ea6ce45bf91d5c764738527de0fff21

        SHA1

        a8283ab5e12b353fe92cd9856054032a39263bf3

        SHA256

        a06746bd0a15d46dd763aa0c9a5a9fe1a67c6010fb4cdf5981f5f1ee4110e1e3

        SHA512

        d7b88b6efdc2ea7ec1e8ff6015913244dafc5938910e64bc3f7436a8e855251c2184234d482ebf887dd171a65c86e619a4745b74dea32f4e740e490374f51b4a

        Download Submit

      • C:\Users\Admin\Desktop\SetCompress.css
        Filesize

        120KB

        MD5

        a2b20373bb274fe8d8a2b855a2942568

        SHA1

        4266f843bd3914fdc02d29527dbf210699e9ea33

        SHA256

        e4db488d3e53520141922f881b01eed78e68cb434a9ff455c70aea45fae74619

        SHA512

        e16542310274eb6e920c8d16cb95f88c4a4479fb470fccc050f645cc9bf892b70e802a7d417af5feb6c7a930edb6dc1bf69d183eaae08f05dc17a4208091318d

        Download Submit

      • C:\Users\Admin\Desktop\StepReset.xltm
        Filesize

        142KB

        MD5

        7e47bf6ab705d8808dcf056233f68ae0

        SHA1

        a4e1c8d3836ff8827abd0a294a987f7a3939cd38

        SHA256

        5c82be8d9ddfc8be902e30dbb47471bb70dd9f3e641a2ecd707c2eece4d115df

        SHA512

        ab21bbdf5106338534d3cfd50c9a989ff234408f9808a2e647379a6dbc7c1438fdcef26dc91353884f889211ab5d661f4735d7a8633ac5c3cf9f3eb95b624788

        Download Submit

      • C:\Users\Admin\Desktop\UnblockLimit.mov
        Filesize

        244KB

        MD5

        0103a9db2c98e4fe67c8799eb1a88bdb

        SHA1

        7ee7ed5fde6fad138f9c8b07acdb16c5eb9942ac

        SHA256

        35749a48dca8730b292978563aa693186d0087026eaa5e1717f0856586abbb15

        SHA512

        f627cea97f24e55a6d49b7ed25cd5a66056d6c928b20089914756ae390425fbab0f405cc536974fb52acf770bfde785b394f2b243fc9274dbd71637f85204b8a

        Download Submit

      • C:\Users\Admin\Desktop\UndoInvoke.wps
        Filesize

        135KB

        MD5

        3c24eb685d8fc960ccc367889dce29de

        SHA1

        71db914b5394438a8d3cd50408f9eba9c108225d

        SHA256

        b39422444d837d017b830a1b6b1cd68b118437b5ee99bce02cd6a9ff88586fb0

        SHA512

        483a401fe6ec5f99b761bea7084305aa9c1bef86eb6688e4531cdf5ad7ce5d40dcc32d04ee5017a86a946a89138d1948269529d6663bdafb8eb2857328c3b6b9

        Download Submit

      • C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg
        Filesize

        32KB

        MD5

        84bba83cfbc0233517407678bb842686

        SHA1

        1c617de788de380d28c52dc733ad580c3745a1c1

        SHA256

        6ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9

        SHA512

        a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e

        Download Submit