Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 17:03
Static task
static1
Behavioral task
behavioral1
Sample
0738ab32f9426392d284183361e0d8b0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0738ab32f9426392d284183361e0d8b0.exe
Resource
win10v2004-20231215-en
Errors
General
-
Target
0738ab32f9426392d284183361e0d8b0.exe
-
Size
24KB
-
MD5
0738ab32f9426392d284183361e0d8b0
-
SHA1
af43b3eeff5ee03d00499016c5d94c17ff294fd9
-
SHA256
53bf262830fa7e39f79ff27aa43d0cf63c76a2d481f706da03629ddae7775494
-
SHA512
c1e32fbdc1f99d054c809336779ec9e12a6766d19de9a825755ecf73808d8a2440970c134ec4deadaf2814641699227e2d93c00eb2bcc909d86c0a40fda6350c
-
SSDEEP
192:KCFEIW9H9i9s9G9h9aOUUMGDryPOKVY68KUBxZY1VBta1lyhCgErZsivIw5RoT/v:KI5mGMMtKVbnSrNvIw5RoTv
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2356 0738ab32f9426392d284183361e0d8b0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2356 0738ab32f9426392d284183361e0d8b0.exe Token: SeIncBasePriorityPrivilege 2356 0738ab32f9426392d284183361e0d8b0.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2356 0738ab32f9426392d284183361e0d8b0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2940 2356 0738ab32f9426392d284183361e0d8b0.exe 29 PID 2356 wrote to memory of 2940 2356 0738ab32f9426392d284183361e0d8b0.exe 29 PID 2356 wrote to memory of 2940 2356 0738ab32f9426392d284183361e0d8b0.exe 29 PID 2356 wrote to memory of 2940 2356 0738ab32f9426392d284183361e0d8b0.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\0738ab32f9426392d284183361e0d8b0.exe"C:\Users\Admin\AppData\Local\Temp\0738ab32f9426392d284183361e0d8b0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0738AB~1.EXE > nul2⤵PID:2940
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2872
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2436