Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2023, 14:12
Static task
static1
Behavioral task
behavioral1
Sample
8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe
Resource
win10v2004-20230703-en
General
-
Target
8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe
-
Size
11.7MB
-
MD5
36fc4ec9eaeb5a5b581c8df72602eb01
-
SHA1
7e94bb9dfcadad94451fcd00ac026f0d1494899f
-
SHA256
8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc
-
SHA512
d514646c2ad0919d60171e9be2fd5ce6d5735058b4a52c5de32106010516931d8b119b304ec2ca3c5757c656a8a6f39c40128589b7e853493c379e4e8ee8b683
-
SSDEEP
196608:9hpnuJC5jcOtHkMcHZv3T356NFLOyomFHKnP:9nnuJC5j7t1c5v3z5QF
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 820 netsh.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4224 8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe 4224 8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe 4224 8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4224 8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4224 8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe 4224 8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4224 wrote to memory of 820 4224 8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe 84 PID 4224 wrote to memory of 820 4224 8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe 84 PID 4224 wrote to memory of 2164 4224 8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe 83 PID 4224 wrote to memory of 2164 4224 8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe"C:\Users\Admin\AppData\Local\Temp\8a40dd0397c97822358d0baf5ecef10a5e62a148d1501a095d2e5a690a5cbbbc.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SYSTEM32\netsh.exenetsh winsock reset2⤵PID:2164
-
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall set opmode disable2⤵
- Modifies Windows Firewall
PID:820
-