Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
8s -
max time network
6s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
22/12/2023, 16:25
General
-
Target
ee6bfd2f9b53ed923c3b10f3eeab3ed3.exe
-
Size
178KB
-
MD5
ee6bfd2f9b53ed923c3b10f3eeab3ed3
-
SHA1
22eab09935aba748fc208fcf7d533ad284895ddf
-
SHA256
6132fb32737a39524f33328f9317f329752a8dc10e705a8565b71fec755dc431
-
SHA512
aaed3c284202b58515dfcf71fa91e26fb2c66e033463660e9f0be9be94daede2352dac31cbc2ef76d7c38c1e6c6bfb316fe3649398d8dcea1d46be3942d9beef
-
SSDEEP
3072:3q6+ouCpk2mpcWJ0r+QNTBfmj8q6+ouCpk2mpcWJ0r+QNTBfmjW:3ldk1cWQRNTBej8ldk1cWQRNTBejW
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee6bfd2f9b53ed923c3b10f3eeab3ed3.exe"C:\Users\Admin\AppData\Local\Temp\ee6bfd2f9b53ed923c3b10f3eeab3ed3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4BA0.tmp\4BA1.tmp\4BA2.bat C:\Users\Admin\AppData\Local\Temp\ee6bfd2f9b53ed923c3b10f3eeab3ed3.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\setup.bat /f3⤵
- Adds Run key to start application
- Modifies registry key
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\setup.bat /f3⤵
- Adds Run key to start application
- Modifies registry key
-
-
C:\Windows\system32\mode.commode 8003⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /IM explorer.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\net.exenet user Admin /delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin /delete4⤵
-
-
-
C:\Windows\system32\net.exenet user Admin /del3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin /del4⤵
-
-
-
C:\Windows\system32\net.exenet stop "Themes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Themes"4⤵
-
-
-
C:\Windows\system32\taskkill.exetaskkill /IM wininit.exe /F3⤵
- Kills process with taskkill
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52442a13b59684193d389f0cc947f44fa
SHA1e9e39f1f080b827ef8df139501d3679332c4e2e5
SHA2567d8cc630d28bef8c0ca5c34799e975159551f507c62db0d0cf09288960a4a6dc
SHA512ae8f69330155a02ff9cd9f365322c7cf14bac8df288127f284ae1061e4adff5af2b35327596959ef7fb5e3191bfc4258629ef5fa9ff9ca5241bc45c785c1f789
-
Filesize
178KB
MD5ee6bfd2f9b53ed923c3b10f3eeab3ed3
SHA122eab09935aba748fc208fcf7d533ad284895ddf
SHA2566132fb32737a39524f33328f9317f329752a8dc10e705a8565b71fec755dc431
SHA512aaed3c284202b58515dfcf71fa91e26fb2c66e033463660e9f0be9be94daede2352dac31cbc2ef76d7c38c1e6c6bfb316fe3649398d8dcea1d46be3942d9beef