Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
18s -
max time network
24s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
12/07/2023, 12:54
Static task
static1
Behavioral task
behavioral1
Sample
ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe
Resource
win10v2004-20230703-en
Errors
General
-
Target
ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe
-
Size
690KB
-
MD5
e12dc94a46521e39e3555972381650d7
-
SHA1
526ec5384befc08a85cf5c32e992d2bf078fe354
-
SHA256
ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470
-
SHA512
4f611f4c0cccb8e2fbd015487352220507e7157822922dd20609dc30c6ad70029e055d101d3f5739a83419923d5a33222b5c0103c6e1f5133e3460e3c825e79c
-
SSDEEP
12288:jZKzOxunS7PnHbFwU+QhG6puk8mjI03zFF5dG2PNW9xkzWTjkejSOmTdzToeD1pU:jZKG7l6XAWTjkejlmZnppd2
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acoustica.lnk cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2264 timeout.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 240 shutdown.exe Token: SeRemoteShutdownPrivilege 240 shutdown.exe Token: 33 2144 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2144 AUDIODG.EXE Token: 33 2144 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2144 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2292 wrote to memory of 3020 2292 ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe 27 PID 2292 wrote to memory of 3020 2292 ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe 27 PID 2292 wrote to memory of 3020 2292 ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe 27 PID 3020 wrote to memory of 3060 3020 cmd.exe 29 PID 3020 wrote to memory of 3060 3020 cmd.exe 29 PID 3020 wrote to memory of 3060 3020 cmd.exe 29 PID 2292 wrote to memory of 2816 2292 ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe 31 PID 2292 wrote to memory of 2816 2292 ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe 31 PID 2292 wrote to memory of 2816 2292 ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe 31 PID 2816 wrote to memory of 2940 2816 cmd.exe 32 PID 2816 wrote to memory of 2940 2816 cmd.exe 32 PID 2816 wrote to memory of 2940 2816 cmd.exe 32 PID 2940 wrote to memory of 2264 2940 cmd.exe 34 PID 2940 wrote to memory of 2264 2940 cmd.exe 34 PID 2940 wrote to memory of 2264 2940 cmd.exe 34 PID 2940 wrote to memory of 240 2940 cmd.exe 35 PID 2940 wrote to memory of 240 2940 cmd.exe 35 PID 2940 wrote to memory of 240 2940 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe"C:\Users\Admin\AppData\Local\Temp\ae09d492ad1f9c8589dd93af19d7655051fb890d1710259bba0453515d701470.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\oTTVRU.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\cscript.execscript C:\Users\Admin\AppData\Local\Temp\TsytwEo.vbs3⤵
- Drops startup file
PID:3060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\UNZPQQXM.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\UNZPQQXM.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\timeout.exetimeout /t 104⤵
- Delays execution with timeout.exe
PID:2264
-
-
C:\Windows\system32\shutdown.exeshutdown /r /t 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:240
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2812
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1d81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263B
MD59301ff72fcd4ffce2866b79f5cd95476
SHA1802311e106373b9f9a0307ad3fd4c86baeadc144
SHA25661a3c5c0a0005dfec62a3d6810225054785790a5cfccefbf1a4688cf6c1bcda8
SHA5126a71e06a168ac5cd9468eb751fd630e331a22483cded6060aa1a5147066775de5b28c2f7e245550bc364b25c39965d826cbf6aebaa3b15eecce7016ec9b886a9
-
Filesize
582B
MD57c4e9efd6e81d26cd0090e39ebaf8d01
SHA1af56bec86065ffb82960b1a2758d67e9f787ece5
SHA25629d8d8e044f4cd78d366443f585b83efe98ddc320b777be08fe6d1b4d922c886
SHA512c44a36967fc7f6a078ae0ba2abe407013ee7190763de3bbf35013b958a76040a1829581f448fc2ebef7eed4a66c6af0c6d350fba43f3e1f5ed85e53195715534
-
Filesize
44B
MD5e04f000c162860777360b3c135dcb86f
SHA1dcfaa535a33309cf3c435a6a4eaa3737d1eb7ad5
SHA25666ad9e8bd3303f0865f43f275865c18969c83cd7162b540e5cde753aca9e4e58
SHA512e73b3605dfa0fc3e2f9c5bb80e47abcf47361effed09f1e2efcb01e9799f900d594908d6e731056540817b1b9b8deaf47510b1f92a8e25c86e6b207e3a995ea9