Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 23:04
Static task
static1
Behavioral task
behavioral1
Sample
403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe
Resource
win10v2004-20220812-en
General
-
Target
403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe
-
Size
171KB
-
MD5
82e49b3a536412fc0ce63bcbab060cef
-
SHA1
553a87bcb033f71c4220e1317ea3d4cc05c27558
-
SHA256
403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50
-
SHA512
ca78e9868a6234b3ba1d178e45d879b18fb26052ad228a18e6a97002cfcd3b048f30f7993331ecd55705eedbd2c96ad866970759686b8d78fbe07b0791869ab5
-
SSDEEP
1536:TA31uITEB3OxdafOgzS8Wk5VSqm9fe8mn9NdZ66GV8WDF4dhyW0MUwtHR/9HRgwr:TC12+r9mSLkyd92cD6jCMZ9tDPt1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1796 jwufxge.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\jwufxge.exe 403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1796 jwufxge.exe 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1796 jwufxge.exe Token: SeDebugPrivilege 1400 Explorer.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1928 403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe 1796 jwufxge.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1316 wrote to memory of 1796 1316 taskeng.exe 27 PID 1316 wrote to memory of 1796 1316 taskeng.exe 27 PID 1316 wrote to memory of 1796 1316 taskeng.exe 27 PID 1316 wrote to memory of 1796 1316 taskeng.exe 27 PID 1796 wrote to memory of 1400 1796 jwufxge.exe 20
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe"C:\Users\Admin\AppData\Local\Temp\403daa39886c0f06acd2663416f929b07f185d728bf67abd8424e273dcfddb50.exe"2⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1928
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5E7CD9E2-29A2-4BFA-85E5-7C2A0A00C7A1} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\PROGRA~3\Mozilla\jwufxge.exeC:\PROGRA~3\Mozilla\jwufxge.exe -kqepohf2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1796
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171KB
MD56df6995325aca0035e190e02dd3a4242
SHA1fa9e423e00aa61b57aa97a0df4e8624f45015637
SHA2561856005c0c713d9fb9ac1bbcb603e74eb0bb325d9f37d7b156467350e848b395
SHA5127236a4c3cd07af7466ba5434a2b4e83c0f832424c8363c25e2f2d67ecf2a1260a45d0a45288e980d2448ca0af914dbc101959ac6ba6fb1b6365db2cfcfacb6e5
-
Filesize
171KB
MD56df6995325aca0035e190e02dd3a4242
SHA1fa9e423e00aa61b57aa97a0df4e8624f45015637
SHA2561856005c0c713d9fb9ac1bbcb603e74eb0bb325d9f37d7b156467350e848b395
SHA5127236a4c3cd07af7466ba5434a2b4e83c0f832424c8363c25e2f2d67ecf2a1260a45d0a45288e980d2448ca0af914dbc101959ac6ba6fb1b6365db2cfcfacb6e5