Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 12:50
Static task
static1
Behavioral task
behavioral1
Sample
App/DontSleep/DontSleep_p.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
App/DontSleep/DontSleep_p.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
App/DontSleep/DontSleep_x64_p.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
App/DontSleep/DontSleep_x64_p.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
DontSleepPortable.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
DontSleepPortable.exe
Resource
win10v2004-20231215-en
General
-
Target
DontSleepPortable.exe
-
Size
511KB
-
MD5
c3ec9200d491dfede2e4dcdda4d9933d
-
SHA1
dc24c39e7a65775edab4119681db3af939d3c244
-
SHA256
21c2b3ab601f804a3196337555c9fe22ae8827c46ea3a30b5b4319ddea2e403e
-
SHA512
2e93c14a68a715fcbbcc1cd702b4ce4fc65dad339a6c4d268379b3f2750bd1ab104f6c852cac1d70e34ff5f6fcbb54b859529a0a2b998311fe0965810430ce9c
-
SSDEEP
6144:PPKgNFHV4vcW2vSh1xEL5ICw91hEK5ZBG6UXkdI+iqdg5/AaZxJtxFM9dY8Yn31Z:0cUdI+iB1xFOdY8c31RH
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 1740 DontSleepPortable.exe 1740 DontSleepPortable.exe 1740 DontSleepPortable.exe 1740 DontSleepPortable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1740 DontSleepPortable.exe 1740 DontSleepPortable.exe 1740 DontSleepPortable.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 2768 DontSleep_x64_p.exe Token: SeShutdownPrivilege 2768 DontSleep_x64_p.exe Token: SeShutdownPrivilege 2768 DontSleep_x64_p.exe Token: SeShutdownPrivilege 2768 DontSleep_x64_p.exe Token: SeShutdownPrivilege 2768 DontSleep_x64_p.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2768 DontSleep_x64_p.exe 2768 DontSleep_x64_p.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2768 1740 DontSleepPortable.exe 28 PID 1740 wrote to memory of 2768 1740 DontSleepPortable.exe 28 PID 1740 wrote to memory of 2768 1740 DontSleepPortable.exe 28 PID 1740 wrote to memory of 2768 1740 DontSleepPortable.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\DontSleepPortable.exe"C:\Users\Admin\AppData\Local\Temp\DontSleepPortable.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\App\DontSleep\DontSleep_x64_p.exeC:\Users\Admin\AppData\Local\Temp\App\DontSleep\DontSleep_x64_p.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93B
MD5f45cef797295f36867b17869c4c566b2
SHA1ac94956cf29bda2861d416bf5deaf678f3474610
SHA256d384abf7d7a8d15146ffd5125aed82e307c957cbbe8b3516c95616c809634f53
SHA512b4880f0584190281a1cb3580d33d3c3bd5134afbe229eb22e10fcb64216241b3657e4494b5fa80610125dbe06ebbb0a9e754ee2477c22ac5f4c34fac5e2a5484
-
Filesize
10KB
MD524ba3b21fe9c5d01a7c21d32958b3a16
SHA1c25ac10843ae5ad73e57fc80585c0c3c924888e8
SHA256ef63f2d4dc4ccb6b35449f56b19915a26ee6dc7089df01499f44da4db5ab1499
SHA5125eae694d3b36757986ee583615ee672a41b8d806affe80b9591c72eae54373293be5875794d80cef3863cefc8dde44a7c88f9fe232af1e96d01401e0cce72f94
-
Filesize
13KB
MD57f56c0d6a8733dec142814ed5a58b0ee
SHA1c119e66f179cfb758966f3cf878466057bea1840
SHA25686445396775370aff5834f10bda25e505b6f89efc69a04fe1ce46f5d128be73f
SHA5128b3b9bed985b3583b7be8b2197bb068e5d5508f8b5c4a7fc1278b2662dc8d9a53fd6df63f636e44bfc5aa37f030ac76b8d259d6b446bf87d5c72b74ff5b158f3
-
Filesize
8KB
MD59bc6c411efa742a5de7d8372afafa2fa
SHA12b57865e87c7ca2db97d0296d8cbe0183df2c2cf
SHA2560cac914c87d4e73875dea8544391e383f441d624ea5ec9a4864d056db161206c
SHA512092ef3f13a71a46df0f78a3b5eb4492bee32f1a12be27e0c534638ec7723b2a9aac23391768c352289df6a8988cbc6cf96ea22d8f1983b5ccf609e08d1db4bde
-
Filesize
24KB
MD52b7007ed0262ca02ef69d8990815cbeb
SHA12eabe4f755213666dbbbde024a5235ddde02b47f
SHA2560b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca