Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 12:53
Behavioral task
behavioral1
Sample
85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe
Resource
win7-20220901-en
General
-
Target
85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe
-
Size
292KB
-
MD5
7d28a193f98076e664e867465f8e3036
-
SHA1
436149160a074611e1a37e575e36cc0e73a6ad10
-
SHA256
85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a
-
SHA512
924d277c4e4f2b24e9ae9056cc8b29a734d0b0000f6bb90356070b9ea117398619d312cb913a586296ff6091f88142d8198cf58b45e104c325a60f0d7fdb7ffb
-
SSDEEP
6144:qDxBj6B6kQu1WTminflPN80PxpkJP9sF2GtxvEvCOw5bImJIU:r6k+Tmin80PPesFFxMv2BImGU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1200 Hacker.com.cn.exe -
resource yara_rule behavioral1/memory/1768-55-0x0000000000400000-0x000000000051401B-memory.dmp upx behavioral1/files/0x000b00000001231c-56.dat upx behavioral1/files/0x000b00000001231c-59.dat upx -
resource yara_rule behavioral1/memory/1768-55-0x0000000000400000-0x000000000051401B-memory.dmp vmprotect behavioral1/files/0x000b00000001231c-56.dat vmprotect behavioral1/files/0x000b00000001231c-59.dat vmprotect -
Deletes itself 1 IoCs
pid Process 1668 cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe 85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe File opened for modification C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe 85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\uninstal.bat 85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1768 85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe Token: SeDebugPrivilege 1200 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1200 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1200 wrote to memory of 1812 1200 Hacker.com.cn.exe 28 PID 1200 wrote to memory of 1812 1200 Hacker.com.cn.exe 28 PID 1200 wrote to memory of 1812 1200 Hacker.com.cn.exe 28 PID 1200 wrote to memory of 1812 1200 Hacker.com.cn.exe 28 PID 1768 wrote to memory of 1668 1768 85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe 29 PID 1768 wrote to memory of 1668 1768 85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe 29 PID 1768 wrote to memory of 1668 1768 85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe 29 PID 1768 wrote to memory of 1668 1768 85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe 29 PID 1768 wrote to memory of 1668 1768 85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe 29 PID 1768 wrote to memory of 1668 1768 85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe 29 PID 1768 wrote to memory of 1668 1768 85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe"C:\Users\Admin\AppData\Local\Temp\85486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
PID:1668
-
-
C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe"C:\Program Files (x86)\HgzServer\Hacker.com.cn.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1812
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD57d28a193f98076e664e867465f8e3036
SHA1436149160a074611e1a37e575e36cc0e73a6ad10
SHA25685486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a
SHA512924d277c4e4f2b24e9ae9056cc8b29a734d0b0000f6bb90356070b9ea117398619d312cb913a586296ff6091f88142d8198cf58b45e104c325a60f0d7fdb7ffb
-
Filesize
292KB
MD57d28a193f98076e664e867465f8e3036
SHA1436149160a074611e1a37e575e36cc0e73a6ad10
SHA25685486af7b9135ac8835c6e3a55cba22290b3f1c225220c1edeaa83e917690f8a
SHA512924d277c4e4f2b24e9ae9056cc8b29a734d0b0000f6bb90356070b9ea117398619d312cb913a586296ff6091f88142d8198cf58b45e104c325a60f0d7fdb7ffb
-
Filesize
254B
MD5ab4917dddcb1b2ff51aaea673379c6e0
SHA1c82758e9d6439a4021d63406e9cb7b13dbe35fc8
SHA2565a230b7d6c655c1c575e8adf38b3c0d19ee8afac1177a0f5a2e373a4d3956ee1
SHA5129544ab85fd16e1ce4c09785e0863a6d2640707cde3c866ebdf71409c6132e9c367bc7e48e942f9c8c58e66cacc27698c3310928ee5321146f3c9794a3dd26d4c