Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 01:00
Static task
static1
Behavioral task
behavioral1
Sample
1ed4c76010c938c38ad503c552fcde97.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1ed4c76010c938c38ad503c552fcde97.exe
Resource
win10v2004-20231215-en
General
-
Target
1ed4c76010c938c38ad503c552fcde97.exe
-
Size
134KB
-
MD5
1ed4c76010c938c38ad503c552fcde97
-
SHA1
ba6701add4a0cb103978a8877bff2dbdc2355e08
-
SHA256
cfe701c32299a1a659abdfedd357926875310233e22b02eb59fb224c89fe4d8a
-
SHA512
1ae624c7658af8536f1f1a115e05d08a10b9c2aa817f3dc6f39d716496f1848cdef3f502e6bbd70b5cfc4d5f4471a8271f6cd48df5fe7c8ed72cfd823d455575
-
SSDEEP
1536:8QTpallndzt8usk8Ih5t2d/r1h0HdUye8S3IHhgHKmmMaTKhJ1tujsk8nauWf7Sm:8QollZEpI52d/pKHdR7a+Q389jDU5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2204 MicroS0FT.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\system_ylmy.exe MicroS0FT.exe File opened for modification C:\Windows\SysWOW64\system_ylmy.exe MicroS0FT.exe File created C:\Windows\SysWOW64\kill.bat MicroS0FT.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\MicroS0FT.exe 1ed4c76010c938c38ad503c552fcde97.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1056 1ed4c76010c938c38ad503c552fcde97.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2204 MicroS0FT.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1056 wrote to memory of 2204 1056 1ed4c76010c938c38ad503c552fcde97.exe 30 PID 1056 wrote to memory of 2204 1056 1ed4c76010c938c38ad503c552fcde97.exe 30 PID 1056 wrote to memory of 2204 1056 1ed4c76010c938c38ad503c552fcde97.exe 30 PID 1056 wrote to memory of 2204 1056 1ed4c76010c938c38ad503c552fcde97.exe 30 PID 2204 wrote to memory of 2420 2204 MicroS0FT.exe 29 PID 2204 wrote to memory of 2420 2204 MicroS0FT.exe 29 PID 2204 wrote to memory of 2420 2204 MicroS0FT.exe 29 PID 2204 wrote to memory of 2420 2204 MicroS0FT.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ed4c76010c938c38ad503c552fcde97.exe"C:\Users\Admin\AppData\Local\Temp\1ed4c76010c938c38ad503c552fcde97.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\MicroS0FT.exe"C:\Windows\MicroS0FT.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\system32\kill.bat""1⤵PID:2420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5cc84c26d487670f7d7066da145a274c0
SHA1df266cbe2cb56925d8ea495d5846290bbc021caf
SHA256b9f11225cd17196d6b232c303379c0ae417b17d70d4305a3f3cf2913606d07a1
SHA512c8e96c76e40ddd45730f7b11281ded0568c79d805ab86b3d7ce3301c0d33fcbd817e922c33c13999bafcf0eb98492022bff366ddb18ebad5180fa1fbefbac095
-
Filesize
18KB
MD5023edae4e68f376868459883a869a5ba
SHA124541b91be8c861c0eee68f7df09e3e5e37ec1d8
SHA256bacc5f7d63aeae2a085e2336f75389c064fb982e9d81ecf938ab99169e19052e
SHA5122bf69275e1f3edd2a834ad43622110aec0d78349947d246d556fce7a64d4d0bbf389ab9cab47ea789bf04e88f2c784062ee934a25b1ac4d45ad7a81dd7b97e8e