Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    70s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2024, 06:14

General

  • Target

    55e612ab7f9196618deb3800bd208777d09f2b70be814b1d241acef1dc6280ddN.exe

  • Size

    368KB

  • MD5

    aca331cef26e80df50aad16106791cf0

  • SHA1

    3eb52a5eee4c386e23c31521a886093d0850a020

  • SHA256

    55e612ab7f9196618deb3800bd208777d09f2b70be814b1d241acef1dc6280dd

  • SHA512

    9eb23a32eb2641cd5d4be9a4704011f37d878d73a0443296f4e62c8db85a6bb770b4bef8b32863a88e1c641108aa05cfb46130fc957933cdea7d2d03f3ec70cc

  • SSDEEP

    6144:eo5N5OazOZaTDWlVnrchrahdOxveC2wo80/agxb0zLz4qF:emSuOcHmnYhrDMTrban4qF

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot family
  • Trickbot x86 loader 4 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\55e612ab7f9196618deb3800bd208777d09f2b70be814b1d241acef1dc6280ddN.exe
    "C:\Users\Admin\AppData\Local\Temp\55e612ab7f9196618deb3800bd208777d09f2b70be814b1d241acef1dc6280ddN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2960
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2100
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2484
    • C:\Users\Admin\AppData\Roaming\WNetval\66e712ab8f9197719deb3900bd209888d09f2b80be914b1d241acef1dc7290ddN.exe
      C:\Users\Admin\AppData\Roaming\WNetval\66e712ab8f9197719deb3900bd209888d09f2b80be914b1d241acef1dc7290ddN.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\cmd.exe
        /c sc stop WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2968
      • C:\Windows\SysWOW64\cmd.exe
        /c sc delete WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2392
        • C:\Windows\SysWOW64\sc.exe
          sc delete WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2804
      • C:\Windows\SysWOW64\cmd.exe
        /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2724
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1048
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2900
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {CDDD9572-3444-414A-ACB5-E289D57F6E14} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
        PID:2680
        • C:\Users\Admin\AppData\Roaming\WNetval\66e712ab8f9197719deb3900bd209888d09f2b80be914b1d241acef1dc7290ddN.exe
          C:\Users\Admin\AppData\Roaming\WNetval\66e712ab8f9197719deb3900bd209888d09f2b80be914b1d241acef1dc7290ddN.exe
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1416
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            3⤵
              PID:2264

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55

          Filesize

          1KB

          MD5

          f2ae6b50fb4790456faa3f8991134572

          SHA1

          11ce6ebd75845aa05621a84c9d45541d6caa6058

          SHA256

          5c2db0657e8d06ab88a7f3951a088e94d577843d440d746a21fb005efb247ca9

          SHA512

          c7186efd27ee7a37c15651405ef010bd6a1e70cd1c096a79737501ef3d027b4846767fdbf399c6e84df1bd5821373dcecda2da12d85d090c131660d9fc5992da

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

          Filesize

          7KB

          MD5

          141789c0466ba285d56d6226f452823a

          SHA1

          3601ddfa1d4f07ca48d7e817e791e24f3894446d

          SHA256

          8c46de959eb90d4ec1c5e88031ea036981bd461446bed1a9635efc39aa294f95

          SHA512

          78f2587a9aba75742db7f54c3f8c9418f8911232a8d05b5058dd616141f62e0e10857744bc4a0f41f33ef1d1c99d3f91cde3ece4e05f0e2c6e64e93e9fce2236

        • \Users\Admin\AppData\Roaming\WNetval\66e712ab8f9197719deb3900bd209888d09f2b80be914b1d241acef1dc7290ddN.exe

          Filesize

          368KB

          MD5

          aca331cef26e80df50aad16106791cf0

          SHA1

          3eb52a5eee4c386e23c31521a886093d0850a020

          SHA256

          55e612ab7f9196618deb3800bd208777d09f2b70be814b1d241acef1dc6280dd

          SHA512

          9eb23a32eb2641cd5d4be9a4704011f37d878d73a0443296f4e62c8db85a6bb770b4bef8b32863a88e1c641108aa05cfb46130fc957933cdea7d2d03f3ec70cc

        • memory/2440-1-0x00000000002C0000-0x00000000002E9000-memory.dmp

          Filesize

          164KB

        • memory/2440-6-0x00000000002C0000-0x00000000002E9000-memory.dmp

          Filesize

          164KB

        • memory/2552-10-0x0000000000130000-0x0000000000159000-memory.dmp

          Filesize

          164KB

        • memory/2552-12-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        • memory/2552-11-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        • memory/2552-20-0x0000000000130000-0x0000000000159000-memory.dmp

          Filesize

          164KB

        • memory/2900-16-0x0000000010000000-0x000000001001F000-memory.dmp

          Filesize

          124KB

        • memory/2900-15-0x0000000010000000-0x000000001001F000-memory.dmp

          Filesize

          124KB