Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15/06/2023, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
KMS Tools Unpack.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
KMS Tools Unpack.exe
Resource
win10v2004-20230220-en
General
-
Target
KMS Tools Unpack.exe
-
Size
57.4MB
-
MD5
ae2a3c825cbf294b8adedcdba6a03687
-
SHA1
d2ceea4520a4fb42fc4088ea57d5a13b050cced3
-
SHA256
86df099097923f9e0dcf31e78f0d3271f9a918726a206624f8fd510a8077d315
-
SHA512
82a67731e51d1d9248b8148db7e669182327cc7edd0b28d232421b9d523db3601d58d332f890fc360c1051f3dd1a6eafd5f12d77942747ef6632419a14ac031d
-
SSDEEP
1572864:Nx1y8kFxSBqccESbNnPPvitf4QNI2C17ZT:NGHSDcESbx+RNI2C/T
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1636 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 868 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1636 2040 KMS Tools Unpack.exe 28 PID 2040 wrote to memory of 1636 2040 KMS Tools Unpack.exe 28 PID 2040 wrote to memory of 1636 2040 KMS Tools Unpack.exe 28 PID 2040 wrote to memory of 1636 2040 KMS Tools Unpack.exe 28 PID 1636 wrote to memory of 532 1636 cmd.exe 30 PID 1636 wrote to memory of 532 1636 cmd.exe 30 PID 1636 wrote to memory of 532 1636 cmd.exe 30 PID 1636 wrote to memory of 532 1636 cmd.exe 30 PID 1636 wrote to memory of 868 1636 cmd.exe 31 PID 1636 wrote to memory of 868 1636 cmd.exe 31 PID 1636 wrote to memory of 868 1636 cmd.exe 31 PID 1636 wrote to memory of 868 1636 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMS Tools Unpack.exe"C:\Users\Admin\AppData\Local\Temp\KMS Tools Unpack.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:532
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 localhost3⤵
- Runs ping.exe
PID:868
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189B
MD5db8d403e39ca27397567664e7065b91f
SHA1a438727f76b164bb718995acf6beebef0811983c
SHA2562bc60df097abf251ae1a9f50d7d0e2ac3dd6900efed71796db1c1b585b021ca6
SHA512516295b33c817b789865e5c1fa4aa8870e61a80e5695460d0ff878ab05f58129c8d6cefa71148022c64ba220806ec540a6e3839f6ca7a9336885440cc2a1cfcf
-
Filesize
189B
MD5db8d403e39ca27397567664e7065b91f
SHA1a438727f76b164bb718995acf6beebef0811983c
SHA2562bc60df097abf251ae1a9f50d7d0e2ac3dd6900efed71796db1c1b585b021ca6
SHA512516295b33c817b789865e5c1fa4aa8870e61a80e5695460d0ff878ab05f58129c8d6cefa71148022c64ba220806ec540a6e3839f6ca7a9336885440cc2a1cfcf