Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13/10/2023, 03:27
Static task
static1
Behavioral task
behavioral1
Sample
deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe
Resource
win10v2004-20230915-en
General
-
Target
deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe
-
Size
198KB
-
MD5
5e58df9889d5529a7d0f99e689f4897e
-
SHA1
44b47008d2f4f79c9af013cdc6dec29e21d49589
-
SHA256
deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1
-
SHA512
39843678cc1bc5de2ce0944f271c4362e051d45f8f0f4101cd67f36591459a25ff0ee788b8c0456f19cbd01f2b67d3d534ede39eeccfc0b2a92dc10a650ee561
-
SSDEEP
6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCO7:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXC
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2752 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2060 iuyhost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Debug\iuyhost.exe deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe File opened for modification C:\Windows\Debug\iuyhost.exe deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 iuyhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz iuyhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2688 deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2752 2688 deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe 29 PID 2688 wrote to memory of 2752 2688 deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe 29 PID 2688 wrote to memory of 2752 2688 deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe 29 PID 2688 wrote to memory of 2752 2688 deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe"C:\Users\Admin\AppData\Local\Temp\deb2e32e0cf38b6a205ffdb227888bf26ccedf67062f9c63a6936fbd2eb59ce1.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DEB2E3~1.EXE > nul2⤵
- Deletes itself
PID:2752
-
-
C:\Windows\Debug\iuyhost.exeC:\Windows\Debug\iuyhost.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198KB
MD5613ab16318d913070992f837dd764ba5
SHA1e7c209c3042948f57b7c1952162c06d0eb75ce52
SHA2569cc8cd5a03b40ab60766e5de3c98dcf5024ef43fba3c90f86c2794e3021fdb59
SHA5122997e443ab14c67b361ae2cba07e8e01921a935b1217749367e3d635781a2da46049533f8c5cf2a68feba08e174a43271790ca824e4cb08627178945c0e79d04