Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/06/2023, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
new project product.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
new project product.exe
Resource
win10v2004-20230220-en
General
-
Target
new project product.exe
-
Size
803KB
-
MD5
4c9d147c42519b53bc1bf6fe9b4233b9
-
SHA1
909c51f7b3bddb96853fce1795eaffd036deedbd
-
SHA256
75084813c3a29787a8329b1dfba9c1865034cae773ead12faed935b9b1e7175f
-
SHA512
4212f4f5c00e16cf146fae6cc52cb969f5d450b16d09c968c2336efb217ef1c21b50011017e47c8750103a9a7b398860b3bcf50d2270414e603f43cf69eb983e
-
SSDEEP
24576:t1U9BqmycgiH75BWp0kNqdMZ4kS5RIPfYF/sKW:tu9Bqmycr7Wp0k8dMZ4kSP0fYF/w
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 672 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1324 new project product.exe 1100 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1324 new project product.exe Token: SeDebugPrivilege 1100 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1324 wrote to memory of 1100 1324 new project product.exe 28 PID 1324 wrote to memory of 1100 1324 new project product.exe 28 PID 1324 wrote to memory of 1100 1324 new project product.exe 28 PID 1324 wrote to memory of 1100 1324 new project product.exe 28 PID 1324 wrote to memory of 672 1324 new project product.exe 30 PID 1324 wrote to memory of 672 1324 new project product.exe 30 PID 1324 wrote to memory of 672 1324 new project product.exe 30 PID 1324 wrote to memory of 672 1324 new project product.exe 30 PID 1324 wrote to memory of 336 1324 new project product.exe 32 PID 1324 wrote to memory of 336 1324 new project product.exe 32 PID 1324 wrote to memory of 336 1324 new project product.exe 32 PID 1324 wrote to memory of 336 1324 new project product.exe 32 PID 1324 wrote to memory of 1972 1324 new project product.exe 33 PID 1324 wrote to memory of 1972 1324 new project product.exe 33 PID 1324 wrote to memory of 1972 1324 new project product.exe 33 PID 1324 wrote to memory of 1972 1324 new project product.exe 33 PID 1324 wrote to memory of 1256 1324 new project product.exe 34 PID 1324 wrote to memory of 1256 1324 new project product.exe 34 PID 1324 wrote to memory of 1256 1324 new project product.exe 34 PID 1324 wrote to memory of 1256 1324 new project product.exe 34 PID 1324 wrote to memory of 1552 1324 new project product.exe 35 PID 1324 wrote to memory of 1552 1324 new project product.exe 35 PID 1324 wrote to memory of 1552 1324 new project product.exe 35 PID 1324 wrote to memory of 1552 1324 new project product.exe 35 PID 1324 wrote to memory of 1328 1324 new project product.exe 36 PID 1324 wrote to memory of 1328 1324 new project product.exe 36 PID 1324 wrote to memory of 1328 1324 new project product.exe 36 PID 1324 wrote to memory of 1328 1324 new project product.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\new project product.exe"C:\Users\Admin\AppData\Local\Temp\new project product.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QcDpjTBHNmJ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QcDpjTBHNmJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBBE.tmp"2⤵
- Creates scheduled task(s)
PID:672
-
-
C:\Users\Admin\AppData\Local\Temp\new project product.exe"C:\Users\Admin\AppData\Local\Temp\new project product.exe"2⤵PID:336
-
-
C:\Users\Admin\AppData\Local\Temp\new project product.exe"C:\Users\Admin\AppData\Local\Temp\new project product.exe"2⤵PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\new project product.exe"C:\Users\Admin\AppData\Local\Temp\new project product.exe"2⤵PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\new project product.exe"C:\Users\Admin\AppData\Local\Temp\new project product.exe"2⤵PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\new project product.exe"C:\Users\Admin\AppData\Local\Temp\new project product.exe"2⤵PID:1328
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e58d6e9a171725ce1298f7c52f04590e
SHA11b9aaadfbf4aea88fc6c4b93ded2fae36cb9a124
SHA2567cb533b31789b7b50a3d2b4b3807356870cac54027cb37c772044b85f486caf7
SHA512134b7d1b6121ade1517f3fc40d6ea196bd02dc0fcf44db584788106c30cbea87dcdec89e22a3567f76a54f3aef5b189d69b901627d8eeaef38b2b624e3e39514