Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 23:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1b15f78acd1fcfd0922d51e6b5f36120.exe
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
1b15f78acd1fcfd0922d51e6b5f36120.exe
Resource
win10v2004-20231215-en
4 signatures
150 seconds
General
-
Target
1b15f78acd1fcfd0922d51e6b5f36120.exe
-
Size
644KB
-
MD5
1b15f78acd1fcfd0922d51e6b5f36120
-
SHA1
0b659861c354b22c1f4d01e2405415566bbf7117
-
SHA256
56e65d422414cee26dd464870634423208ab32af705a177c0ffa9511292eaa29
-
SHA512
0123cc2c18ea98058263bc2f4c5c2f34804addaf631203de2fb709c400a69d1957cd78c7f87729b5c78d0bca485640bb08cb5024202aa187597a9b8bf3b1d65c
-
SSDEEP
12288:FytbV3kSoXaLnToslPqgwdkjLoz8YuP4SBEYjf22wuBLd:Eb5kSYaLTVlCtOjUEzEQwuld
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2204 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2904 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 876 1b15f78acd1fcfd0922d51e6b5f36120.exe 876 1b15f78acd1fcfd0922d51e6b5f36120.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 876 1b15f78acd1fcfd0922d51e6b5f36120.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 876 wrote to memory of 2204 876 1b15f78acd1fcfd0922d51e6b5f36120.exe 23 PID 876 wrote to memory of 2204 876 1b15f78acd1fcfd0922d51e6b5f36120.exe 23 PID 876 wrote to memory of 2204 876 1b15f78acd1fcfd0922d51e6b5f36120.exe 23 PID 2204 wrote to memory of 2904 2204 cmd.exe 30 PID 2204 wrote to memory of 2904 2204 cmd.exe 30 PID 2204 wrote to memory of 2904 2204 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b15f78acd1fcfd0922d51e6b5f36120.exe"C:\Users\Admin\AppData\Local\Temp\1b15f78acd1fcfd0922d51e6b5f36120.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1b15f78acd1fcfd0922d51e6b5f36120.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:2904
-
-