Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 18:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
MWII-V7.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
MWII-V7.exe
-
Size
23.9MB
-
MD5
1ea4056f19b4d30f01a259f9a4cc437b
-
SHA1
417eb1feb84fa4b95db998c6a0ce8d1728ff8f3d
-
SHA256
1dc15d2bd59ff8e1ebe4a9d85a6922654b508bdb24ad9309727665c036ff71ea
-
SHA512
92510844505abe27f26a2461c691d2073339fc8a90d99b28ed2ea8cc870c8007bbf77858ed4e6aa27b6a65fdae267fe2f6123f6806df3c54cda15ec1ce0af49a
-
SSDEEP
393216:cUbneaVc7tJqjMMewghotAPUrbI+TwOqTDbqDeCtiNtjMjIEGDOYGAqy1jN:9bnr5ewghot0up0r+i2iIjIROHAb
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 752 MWII-V7.exe 752 MWII-V7.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe 752 MWII-V7.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 752 wrote to memory of 2668 752 MWII-V7.exe 93 PID 752 wrote to memory of 2668 752 MWII-V7.exe 93 PID 2668 wrote to memory of 3828 2668 cmd.exe 96 PID 2668 wrote to memory of 3828 2668 cmd.exe 96 PID 2668 wrote to memory of 3908 2668 cmd.exe 95 PID 2668 wrote to memory of 3908 2668 cmd.exe 95 PID 2668 wrote to memory of 4764 2668 cmd.exe 94 PID 2668 wrote to memory of 4764 2668 cmd.exe 94 PID 752 wrote to memory of 1384 752 MWII-V7.exe 98 PID 752 wrote to memory of 1384 752 MWII-V7.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\MWII-V7.exe"C:\Users\Admin\AppData\Local\Temp\MWII-V7.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\MWII-V7.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:4764
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:3908
-
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\MWII-V7.exe" MD53⤵PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1384
-