Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
14s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 11:20
Static task
static1
Behavioral task
behavioral1
Sample
testlnk.exe
Resource
win7-20220812-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
testlnk.exe
Resource
win10v2004-20220812-en
3 signatures
150 seconds
General
-
Target
testlnk.exe
-
Size
2.4MB
-
MD5
30757d645e25fb8ee4871ceface19772
-
SHA1
e21abb5ecefd8f9c9ad5f30c27ef3de913b47ed2
-
SHA256
53a346abbdc2c926034a024aee8a4b794edb4430826489486ad0dc46d1352d41
-
SHA512
226f96d3d36e70788a9b2019331fd29cbabfad994c31f3fda09d02304b246638caabf5623e66e870e3f9077f170286fa9cf4693f266be3a1dd17dc130f2378df
-
SSDEEP
49152:lIgOhjpeuUTmDyXv2KT0MIrCHvn9MJ7Im7uAYHsJd0ChzzI7MVHvwWjNM:lIgOhjpeuUTmDKvG4viGm6qdU0HFNM
Score
7/10
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1672 set thread context of 99848 1672 testlnk.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 99848 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 99848 vbc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1672 wrote to memory of 99848 1672 testlnk.exe 28 PID 1672 wrote to memory of 99848 1672 testlnk.exe 28 PID 1672 wrote to memory of 99848 1672 testlnk.exe 28 PID 1672 wrote to memory of 99848 1672 testlnk.exe 28 PID 1672 wrote to memory of 99848 1672 testlnk.exe 28 PID 1672 wrote to memory of 99848 1672 testlnk.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\testlnk.exe"C:\Users\Admin\AppData\Local\Temp\testlnk.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:99848
-