Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    43s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2022, 12:03

General

  • Target

    438de44abdd1a89fbdd49cb37aa128f0cb4bc951eca89b850bd6d31f545571dc.exe

  • Size

    176KB

  • MD5

    083842ada9573818eb34522949d44c18

  • SHA1

    db9940e0ff5eb8a687d80c48b067a7da1b80df3f

  • SHA256

    438de44abdd1a89fbdd49cb37aa128f0cb4bc951eca89b850bd6d31f545571dc

  • SHA512

    bcf22a4db08be55c8c886ff9053cf6dcea7c318f71132bf8e58fd3dbc11901e29e00a5dc0e9c6ef67c616789622522082dc5619b226e4a02314e46f48ce6c0f2

  • SSDEEP

    3072:AoFvujbjlMi1RTGCA/bziy9tvzhir77uyeTZPh6GHYJsaM7d0:FFvuvjlM4T6bziyjvzMdethd4JZMp0

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\438de44abdd1a89fbdd49cb37aa128f0cb4bc951eca89b850bd6d31f545571dc.exe
    "C:\Users\Admin\AppData\Local\Temp\438de44abdd1a89fbdd49cb37aa128f0cb4bc951eca89b850bd6d31f545571dc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /pid 2024 & for /l %x in (1,1,60) do ping 127.0.0.1 -n 2 -w 500 & del /q /f "C:\Users\Admin\AppData\Local\Temp\438de44abdd1a89fbdd49cb37aa128f0cb4bc951eca89b850bd6d31f545571dc.exe" & if not exist "C:\Users\Admin\AppData\Local\Temp\438de44abdd1a89fbdd49cb37aa128f0cb4bc951eca89b850bd6d31f545571dc.exe" exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /pid 2024
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1800
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2 -w 500
        3⤵
        • Runs ping.exe
        PID:1152

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

    Filesize

    8KB