Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
24/11/2022, 10:37
221124-mn9nhsgg76 124/11/2022, 10:33
221124-mlpwbsgf33 124/11/2022, 10:30
221124-mjs5zabe6s 124/11/2022, 10:26
221124-mg13ssgd25 1Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24/11/2022, 10:37
Static task
static1
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
Server.exe
-
Size
150KB
-
MD5
0f367fce0c77e594ec09f105ded2503a
-
SHA1
fba1dd99300e2c9d574a4afa976590b6da35ee50
-
SHA256
120edd37142c24d17472137c608220220a4efb595d42a991efd498ac30339b4e
-
SHA512
a8a6d855805f9e223478191577bbe981d09b988fdb20c64fa62431587b122424b2d868f82feaeb3e5be6e4aa49ccc3cf842c592ead2d8c645f497f1b69764f3f
-
SSDEEP
3072:+FhkwDd+B2lf1oJWT9RMkjWyqQuRN4GepKsqL4:+Pk0d+Bo6JWT93q9/4
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1648 Server.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1748 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: 33 588 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 588 AUDIODG.EXE Token: 33 588 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 588 AUDIODG.EXE Token: SeDebugPrivilege 1748 taskmgr.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 1220 dw20.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe 1748 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1736 wrote to memory of 1464 1736 Server.exe 29 PID 1736 wrote to memory of 1464 1736 Server.exe 29 PID 1736 wrote to memory of 1464 1736 Server.exe 29 PID 1736 wrote to memory of 1464 1736 Server.exe 29 PID 1544 wrote to memory of 1648 1544 cmd.exe 36 PID 1544 wrote to memory of 1648 1544 cmd.exe 36 PID 1544 wrote to memory of 1648 1544 cmd.exe 36 PID 1544 wrote to memory of 1648 1544 cmd.exe 36 PID 1648 wrote to memory of 1220 1648 Server.exe 37 PID 1648 wrote to memory of 1220 1648 Server.exe 37 PID 1648 wrote to memory of 1220 1648 Server.exe 37 PID 1648 wrote to memory of 1220 1648 Server.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4442⤵PID:1464
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" shell32.dll,Options_RunDLL 01⤵PID:516
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:872
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4c01⤵
- Suspicious use of AdjustPrivilegeToken
PID:588
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\Server.exeserver.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4443⤵
- Suspicious use of FindShellTrayWindow
PID:1220
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1748