Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2022, 14:53
Static task
static1
Behavioral task
behavioral1
Sample
12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe
Resource
win10v2004-20220812-en
General
-
Target
12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe
-
Size
151KB
-
MD5
6d36288b0a0328c7ea9824fb60302410
-
SHA1
7a7ee08d7051cd0683ce8f5f5720440e552050a7
-
SHA256
12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6
-
SHA512
4ea93fe4351e4be7847900b0a74f00dd0258c0dfbed651cbc3206f67d7f6ecf8212964711bedab64616f859408ad3fd3c49ad0a1fd18ef829d0a1b6a7fbfd23b
-
SSDEEP
3072:e5FBzlOb9WVE1wGUTuknS114fO+qDD7y0N:e5FBhOb90E1wHukSwfhi7/
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360Ö÷¶¯·ÀÓù = "C:WINDOWS\\SHELLNEW\\sever.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe" 12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\SHELLNEW\sever.exe 12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2524 wrote to memory of 396 2524 12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe 82 PID 2524 wrote to memory of 396 2524 12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe 82 PID 2524 wrote to memory of 396 2524 12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe 82 PID 396 wrote to memory of 4188 396 cmd.exe 84 PID 396 wrote to memory of 4188 396 cmd.exe 84 PID 396 wrote to memory of 4188 396 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe"C:\Users\Admin\AppData\Local\Temp\12d41d0a60704d9f45093765c0324abaef34d05a793ecc2ae1140f7ea72922e6.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 360Ö÷¶¯·ÀÓù /d C:WINDOWS\SHELLNEW\sever.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 360Ö÷¶¯·ÀÓù /d C:WINDOWS\SHELLNEW\sever.exe /f3⤵
- Adds Run key to start application
PID:4188
-
-