Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 16:10
Static task
static1
Behavioral task
behavioral1
Sample
ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe
Resource
win10v2004-20231215-en
General
-
Target
ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe
-
Size
24KB
-
MD5
ea4e5df4f3581fb57c8c89f8eb2ab1fb
-
SHA1
ca81d40e97dfe23437d0e2d701eed90adf12f85a
-
SHA256
8e693a263d61a44a9ef68b7c082ed22453c9671919a75fc7b90be4ae67c07d76
-
SHA512
7161a7796cd698fec123d2b5ad2a6080cbe815b66ab7d855e69a8706321343fed5a70fe409353bd0ff600459f4c8db938aab2019263784a4a846b9dc7ba46745
-
SSDEEP
384:E3eVES+/xwGkRKJJIlM61qmTTMVF9/q5q0:bGS+ZfbJqO8qYoAb
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2752 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2756 ipconfig.exe 2696 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2752 tasklist.exe Token: SeDebugPrivilege 2696 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3048 ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe 3048 ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2720 3048 ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe 28 PID 3048 wrote to memory of 2720 3048 ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe 28 PID 3048 wrote to memory of 2720 3048 ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe 28 PID 3048 wrote to memory of 2720 3048 ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe 28 PID 2720 wrote to memory of 2668 2720 cmd.exe 30 PID 2720 wrote to memory of 2668 2720 cmd.exe 30 PID 2720 wrote to memory of 2668 2720 cmd.exe 30 PID 2720 wrote to memory of 2668 2720 cmd.exe 30 PID 2720 wrote to memory of 2756 2720 cmd.exe 31 PID 2720 wrote to memory of 2756 2720 cmd.exe 31 PID 2720 wrote to memory of 2756 2720 cmd.exe 31 PID 2720 wrote to memory of 2756 2720 cmd.exe 31 PID 2720 wrote to memory of 2752 2720 cmd.exe 32 PID 2720 wrote to memory of 2752 2720 cmd.exe 32 PID 2720 wrote to memory of 2752 2720 cmd.exe 32 PID 2720 wrote to memory of 2752 2720 cmd.exe 32 PID 2720 wrote to memory of 2796 2720 cmd.exe 34 PID 2720 wrote to memory of 2796 2720 cmd.exe 34 PID 2720 wrote to memory of 2796 2720 cmd.exe 34 PID 2720 wrote to memory of 2796 2720 cmd.exe 34 PID 2796 wrote to memory of 2684 2796 net.exe 35 PID 2796 wrote to memory of 2684 2796 net.exe 35 PID 2796 wrote to memory of 2684 2796 net.exe 35 PID 2796 wrote to memory of 2684 2796 net.exe 35 PID 2720 wrote to memory of 2696 2720 cmd.exe 36 PID 2720 wrote to memory of 2696 2720 cmd.exe 36 PID 2720 wrote to memory of 2696 2720 cmd.exe 36 PID 2720 wrote to memory of 2696 2720 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe"C:\Users\Admin\AppData\Local\Temp\ea4e5df4f3581fb57c8c89f8eb2ab1fb.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2668
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2756
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:2684
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5c9d079328dadda3e7fa132d2892c7aed
SHA1edc4babbc05869699d1a0dbd0680135e9de1896b
SHA256ebefa9e50751eb5a03c916f1c2e9a6c12cb03f516f156a9167df2256424614a1
SHA512fdf186aededfbc57419f83e3dfcea84137e977a7545f58b77d0d4804fd26cfbf385e3482b2d2b8031fb0fac0493cbe39638e14ee0b7cc7cf5c306e04ea3c831f