Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2024, 02:50

General

  • Target

    0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe

  • Size

    368KB

  • MD5

    46b6312d182ac953c201c1b6bf1bacf6

  • SHA1

    6edcdb9d801e1ef4d6f096360f872d58b3bfb339

  • SHA256

    0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb

  • SHA512

    f6240ca84c7632f00ffbe4de08ece155d238f4a9ef7fa7cdec1699afba18fe937c756072504243bdd5a66450a2f789cbb2082d0cd6f461cf555fdae4a671aa3a

  • SSDEEP

    6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qf:emSuOcHmnYhrDMTrban4qf

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot family
  • Trickbot x86 loader 4 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe
    "C:\Users\Admin\AppData\Local\Temp\0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2708
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2964
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2860
    • C:\Users\Admin\AppData\Roaming\WNetval\0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
      C:\Users\Admin\AppData\Roaming\WNetval\0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        /c sc stop WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2648
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:3052
      • C:\Windows\SysWOW64\cmd.exe
        /c sc delete WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\SysWOW64\sc.exe
          sc delete WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2716
      • C:\Windows\SysWOW64\cmd.exe
        /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2060
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3048
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2848
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {5078C905-F000-4E5D-8781-B6F62ED5D775} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
        PID:2020
        • C:\Users\Admin\AppData\Roaming\WNetval\0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
          C:\Users\Admin\AppData\Roaming\WNetval\0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2328
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            3⤵
              PID:2332

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3551809350-4263495960-1443967649-1000\0f5007522459c86e95ffcc62f32308f1_5a410d66-f84f-4a6b-9b29-3982febe58d9

          Filesize

          1KB

          MD5

          27c2f4bc8d8506c56c5ff117e24b6db3

          SHA1

          b1c5b1ac1b722b5b397720dcbf795a8a5cae70c6

          SHA256

          c7b5acfc2022dff91c6a15148d2fd4f0c208413f8284fee8c000f5b7d75525fd

          SHA512

          02758ab8eb6a80ae354c8c29177348f33bab12540859ae529118e2e7c6cb8d6cd6f89972c9f3238cdeb05b0b2acb5e326ac99f065d7cf3862ad9a2b98bba006a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

          Filesize

          7KB

          MD5

          64c681bd73344f5a0f9b09eb32d92d8c

          SHA1

          d142e234b4620b417ab4a8bbe1a7ab71aa4601b0

          SHA256

          8d4a487c51b4de006f150acbeee5066d715b28b39165f54ae03afc4a73306f27

          SHA512

          392cde4d3c7cb5e757ded483dc3288f1b89406a5a8a2a99ef29c542fb762fb1fc331c268d37cc06f50d0eacf84b87c452ede2b050845c000922faec27aeba0ee

        • \Users\Admin\AppData\Roaming\WNetval\0079a24aff998f68fbc971fbcf6fca0fac8298da993ac179b09b1269d6ba2dbb.exe

          Filesize

          368KB

          MD5

          46b6312d182ac953c201c1b6bf1bacf6

          SHA1

          6edcdb9d801e1ef4d6f096360f872d58b3bfb339

          SHA256

          0069a24aff897f57fbc861fbcf5fca0fac7297da883ac169b09b1259d5ba2dbb

          SHA512

          f6240ca84c7632f00ffbe4de08ece155d238f4a9ef7fa7cdec1699afba18fe937c756072504243bdd5a66450a2f789cbb2082d0cd6f461cf555fdae4a671aa3a

        • memory/2640-1-0x00000000000F0000-0x0000000000119000-memory.dmp

          Filesize

          164KB

        • memory/2640-6-0x00000000000F0000-0x0000000000119000-memory.dmp

          Filesize

          164KB

        • memory/2672-10-0x00000000000D0000-0x00000000000F9000-memory.dmp

          Filesize

          164KB

        • memory/2672-20-0x00000000000D0000-0x00000000000F9000-memory.dmp

          Filesize

          164KB

        • memory/2672-12-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        • memory/2672-11-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        • memory/2848-16-0x0000000010000000-0x000000001001F000-memory.dmp

          Filesize

          124KB