Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07/12/2022, 01:47
Static task
static1
Behavioral task
behavioral1
Sample
e7436b2d8299561e2603956ff1a1a40f891f417d06fee090405f8490416b68df.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e7436b2d8299561e2603956ff1a1a40f891f417d06fee090405f8490416b68df.exe
Resource
win10v2004-20220812-en
General
-
Target
e7436b2d8299561e2603956ff1a1a40f891f417d06fee090405f8490416b68df.exe
-
Size
171KB
-
MD5
b8ee9b78c4ade258a67385d69732ae3d
-
SHA1
2ae775c66d9bdf78563fd82a054f6eb1a3426aae
-
SHA256
e7436b2d8299561e2603956ff1a1a40f891f417d06fee090405f8490416b68df
-
SHA512
534700a5d98c580d4cbc64ad6b942a64987b929e06166df681ca6721a35baac6b6b1bb2e34968d688852b3def74e0ac9d840a11d951674ac6c8a9537d09ad0ca
-
SSDEEP
3072:3JLkeg9pVM1orjoB+EgZuurc1qVel1/SB85CaHBtx3GOen6cF:5Lo3VMUjD1mwoj/SB85CaHBP9en1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 772 suxbtjf.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\suxbtjf.exe e7436b2d8299561e2603956ff1a1a40f891f417d06fee090405f8490416b68df.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 772 suxbtjf.exe 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1204 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 772 suxbtjf.exe Token: SeDebugPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1948 e7436b2d8299561e2603956ff1a1a40f891f417d06fee090405f8490416b68df.exe 772 suxbtjf.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 688 wrote to memory of 772 688 taskeng.exe 29 PID 688 wrote to memory of 772 688 taskeng.exe 29 PID 688 wrote to memory of 772 688 taskeng.exe 29 PID 688 wrote to memory of 772 688 taskeng.exe 29 PID 772 wrote to memory of 1204 772 suxbtjf.exe 18
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7436b2d8299561e2603956ff1a1a40f891f417d06fee090405f8490416b68df.exe"C:\Users\Admin\AppData\Local\Temp\e7436b2d8299561e2603956ff1a1a40f891f417d06fee090405f8490416b68df.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1948
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
C:\Windows\system32\taskeng.exetaskeng.exe {C05E848A-9A9A-4785-91D8-D3F6DD1E1B99} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\PROGRA~3\Mozilla\suxbtjf.exeC:\PROGRA~3\Mozilla\suxbtjf.exe -wukznwj2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:772
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171KB
MD5cbc97d598b7f365d9226659432d090a6
SHA105a3513908a460c350813b46c873e03cdf51bbe7
SHA256b1acef82f6c2794ba218bfb69ecb62ca56b0d815d5142a3785eb754522c6a702
SHA51244aa71ffda6432d5d56467dd0e2d90d78ba2adcb7b386ea85fdf9ba90c313f2a53b17f05370a2896e543dd36165422d2932a73e141a076e04f917d71eb16854f
-
Filesize
171KB
MD5cbc97d598b7f365d9226659432d090a6
SHA105a3513908a460c350813b46c873e03cdf51bbe7
SHA256b1acef82f6c2794ba218bfb69ecb62ca56b0d815d5142a3785eb754522c6a702
SHA51244aa71ffda6432d5d56467dd0e2d90d78ba2adcb7b386ea85fdf9ba90c313f2a53b17f05370a2896e543dd36165422d2932a73e141a076e04f917d71eb16854f