Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 12:51
Static task
static1
Behavioral task
behavioral1
Sample
8f8baa750ba0fd142ce86feb0d2f7423.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8f8baa750ba0fd142ce86feb0d2f7423.exe
Resource
win10v2004-20231215-en
General
-
Target
8f8baa750ba0fd142ce86feb0d2f7423.exe
-
Size
24KB
-
MD5
8f8baa750ba0fd142ce86feb0d2f7423
-
SHA1
70caa942f5b3714c7fbdddc0d8ec9087e82b1a1c
-
SHA256
be27fb5b852c98ea026648c0702538a8f500f071cf10129e831c34ffe76bd8fd
-
SHA512
ea1e8c2eabe9fe254f17e3bcd1a08c6fd336c1da7ccbbcd6b5972e287bc31dad3bf66a972fabeb2f272d6097a1b919de7af5eee15e33519f14b42b42f5744ec2
-
SSDEEP
384:E3eVES+/xwGkRKJilM61qmTTMVF9/q5g0:bGS+ZfbJiO8qYoAZ
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 8f8baa750ba0fd142ce86feb0d2f7423.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 8f8baa750ba0fd142ce86feb0d2f7423.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1820 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2224 ipconfig.exe 2664 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1820 tasklist.exe Token: SeDebugPrivilege 2664 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2360 8f8baa750ba0fd142ce86feb0d2f7423.exe 2360 8f8baa750ba0fd142ce86feb0d2f7423.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2148 2360 8f8baa750ba0fd142ce86feb0d2f7423.exe 23 PID 2360 wrote to memory of 2148 2360 8f8baa750ba0fd142ce86feb0d2f7423.exe 23 PID 2360 wrote to memory of 2148 2360 8f8baa750ba0fd142ce86feb0d2f7423.exe 23 PID 2360 wrote to memory of 2148 2360 8f8baa750ba0fd142ce86feb0d2f7423.exe 23 PID 2148 wrote to memory of 804 2148 cmd.exe 22 PID 2148 wrote to memory of 804 2148 cmd.exe 22 PID 2148 wrote to memory of 804 2148 cmd.exe 22 PID 2148 wrote to memory of 804 2148 cmd.exe 22 PID 2148 wrote to memory of 2224 2148 cmd.exe 16 PID 2148 wrote to memory of 2224 2148 cmd.exe 16 PID 2148 wrote to memory of 2224 2148 cmd.exe 16 PID 2148 wrote to memory of 2224 2148 cmd.exe 16 PID 2148 wrote to memory of 1820 2148 cmd.exe 17 PID 2148 wrote to memory of 1820 2148 cmd.exe 17 PID 2148 wrote to memory of 1820 2148 cmd.exe 17 PID 2148 wrote to memory of 1820 2148 cmd.exe 17 PID 2148 wrote to memory of 2580 2148 cmd.exe 19 PID 2148 wrote to memory of 2580 2148 cmd.exe 19 PID 2148 wrote to memory of 2580 2148 cmd.exe 19 PID 2148 wrote to memory of 2580 2148 cmd.exe 19 PID 2580 wrote to memory of 2644 2580 net.exe 21 PID 2580 wrote to memory of 2644 2580 net.exe 21 PID 2580 wrote to memory of 2644 2580 net.exe 21 PID 2580 wrote to memory of 2644 2580 net.exe 21 PID 2148 wrote to memory of 2664 2148 cmd.exe 20 PID 2148 wrote to memory of 2664 2148 cmd.exe 20 PID 2148 wrote to memory of 2664 2148 cmd.exe 20 PID 2148 wrote to memory of 2664 2148 cmd.exe 20
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f8baa750ba0fd142ce86feb0d2f7423.exe"C:\Users\Admin\AppData\Local\Temp\8f8baa750ba0fd142ce86feb0d2f7423.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2148
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all1⤵
- Gathers network information
PID:2224
-
C:\Windows\SysWOW64\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
C:\Windows\SysWOW64\net.exenet start1⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start2⤵PID:2644
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an1⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Windows\SysWOW64\cmd.execmd /c set1⤵PID:804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5d9657cf5b6d7d78d24a80cc9bfe168a3
SHA19f9ee5416ff6689dba07d20c9ca53e92dc96d857
SHA25653607b42d661fb58730be38c4e9c83896e6de579011b032da965658fdbcd4950
SHA51206ce10fecd8c7a0d39e4bf80b6d3801da4664966ae28d8ec58da5d9453f30a2c9c32289bfd10598737ebcfca06909b05b79587c2deedbdbdeaecc87711198714