Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 12:08
Static task
static1
Behavioral task
behavioral1
Sample
8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe
Resource
win10v2004-20230915-en
General
-
Target
8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe
-
Size
62KB
-
MD5
afb5cb7872e1e15ccda5de2ee406947d
-
SHA1
6342e47ff907e9f4f51fd599a6347156b2fe24e3
-
SHA256
8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09
-
SHA512
d67c9ce4573ce9cf46c41f65af494d8cf8a9c3bdc17b5ff06180ce8a35bf974c3177218af52b60c21d7c9c257f2ae34396d35bbbe79bb5d2976a91bf787eec0a
-
SSDEEP
768:iys4UQyEqmqAivieRl7wHjVwPd8Ni7ClGFJKd:miyEqmsxzujwZrF6
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1948 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2184 wrote to memory of 1892 2184 8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe 29 PID 2184 wrote to memory of 1892 2184 8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe 29 PID 2184 wrote to memory of 1892 2184 8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe 29 PID 1892 wrote to memory of 1948 1892 cmd.exe 30 PID 1892 wrote to memory of 1948 1892 cmd.exe 30 PID 1892 wrote to memory of 1948 1892 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe"C:\Users\Admin\AppData\Local\Temp\8b72a2bbad31865b134a9ec86398f4a6d5cd6fe1c8080efe2e949cdfd06b2e09.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\temps1\temp1.ps1"2⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\temps1\temp1.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e49a22252b02a1796bf77391c7d9899e
SHA16f53d28310d135fa33ada71516f63a4bfa10f3a8
SHA256af012b7fd89a629ee7342219148f9ceacd89d0bbb628a7c085de848d71555588
SHA512dd514b5be4033a327a7bf904405f5d20e2860efd949a499e35e3f9b311716fe594f596362888e471d57050b1e85b9143ff39f2b7120888ddcac1f95d7666eeda