Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28/03/2023, 18:41
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
4 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
35KB
-
MD5
aa1ad291d5d8c8a85d67fdebda00274f
-
SHA1
d95247076cb691c52473fabcce13dcc481ae11aa
-
SHA256
9668fa123ac5d63243a973a70418c32c6405b636d54c8705d6656c3be4969ae5
-
SHA512
c00c191f50ce72128d71ee28d06f8800c590e03b0cfde5f8c0c46af6edf51c54bc85cc6bb128f4ce5ff0ae9e533628eabe587e52cd5c1aae12a96ac422d86da4
-
SSDEEP
384:81ThpqXsIUe603z2hp0JIwkLO41KKuDXzBXslXVf+gtF1BLTiZw/WNnvK9IIku8M:8i2hp0KfObKeYXV/F39efOO9hI3vxME
Malware Config
Extracted
Family
xworm
C2
20.56.93.201:1604
Mutex
LsHrpmVtuRP6SOPB
Attributes
-
install_file
USB.exe
aes.plain
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.lnk tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.lnk tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1276 tmp.exe