Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
84s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/02/2023, 11:05
Static task
static1
Behavioral task
behavioral1
Sample
cdb75538c7adc7829a93cdf9a27c1fd7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cdb75538c7adc7829a93cdf9a27c1fd7.exe
Resource
win10v2004-20220812-en
General
-
Target
cdb75538c7adc7829a93cdf9a27c1fd7.exe
-
Size
3.0MB
-
MD5
cdb75538c7adc7829a93cdf9a27c1fd7
-
SHA1
2e5ff4e8f2b4b087ccc7f4cb2ad59d4c3617a0c9
-
SHA256
dd218eb78e26587e43df5f00ff3ad87e23154c672615309a193a657323b62e20
-
SHA512
f6eab79f9ba0111608ddc3b81b57224e5ccc86f2a4b3f14a11ef627a2d44f6539c061d5bcad7a68f7df0c05bbcb14d0285bfa508085233075452a3a75d1671d4
-
SSDEEP
98304:k5Sh7zrcGtirr9gIKvvwPDxISVNImdJ3R9/4:WAXrjtirrGIyYTD3R9A
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/1248-55-0x000000001FCC0000-0x000000001FFA6000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 676 powershell.exe 1248 cdb75538c7adc7829a93cdf9a27c1fd7.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1248 cdb75538c7adc7829a93cdf9a27c1fd7.exe Token: SeDebugPrivilege 676 powershell.exe Token: SeDebugPrivilege 1248 cdb75538c7adc7829a93cdf9a27c1fd7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1248 wrote to memory of 676 1248 cdb75538c7adc7829a93cdf9a27c1fd7.exe 28 PID 1248 wrote to memory of 676 1248 cdb75538c7adc7829a93cdf9a27c1fd7.exe 28 PID 1248 wrote to memory of 676 1248 cdb75538c7adc7829a93cdf9a27c1fd7.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdb75538c7adc7829a93cdf9a27c1fd7.exe"C:\Users\Admin\AppData\Local\Temp\cdb75538c7adc7829a93cdf9a27c1fd7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676
-