Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 08:26
Static task
static1
Behavioral task
behavioral1
Sample
11ef17e993626c9ffd229d0ad329e5a9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
11ef17e993626c9ffd229d0ad329e5a9.exe
Resource
win10v2004-20231215-en
General
-
Target
11ef17e993626c9ffd229d0ad329e5a9.exe
-
Size
602KB
-
MD5
11ef17e993626c9ffd229d0ad329e5a9
-
SHA1
87d6223b3a3c14f380da1a5e581c124a78f0e8aa
-
SHA256
32f8af57fdfb2cc83432fb295ba83f09d8d3c70bd3062fb4b26f8a501fd83009
-
SHA512
cf7b5ee0b60a8d173d94af966bee61aa33c965c3b73bbf503718b4a5f4d06c62142e6165e8de1194827fd880d26140bc8e2a231ca133a2c40816caca24664912
-
SSDEEP
12288:xmkaMWNGlM8sso58vxLSfQ2kPmUMILeJShM14SRBrMoip:xfkNr8YQWfQTPmAyJ+M+SRBrM
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2332-0-0x0000000001D50000-0x0000000001E78000-memory.dmp upx behavioral1/memory/2332-1-0x0000000001D50000-0x0000000001E78000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~2\is259396418.log 11ef17e993626c9ffd229d0ad329e5a9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1440 2332 WerFault.exe 14 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main 11ef17e993626c9ffd229d0ad329e5a9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2332 11ef17e993626c9ffd229d0ad329e5a9.exe 2332 11ef17e993626c9ffd229d0ad329e5a9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2332 11ef17e993626c9ffd229d0ad329e5a9.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2332 11ef17e993626c9ffd229d0ad329e5a9.exe 2332 11ef17e993626c9ffd229d0ad329e5a9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ef17e993626c9ffd229d0ad329e5a9.exe"C:\Users\Admin\AppData\Local\Temp\11ef17e993626c9ffd229d0ad329e5a9.exe"1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 16282⤵
- Program crash
PID:1440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD51ea9e5b417811379e874ad4870d5c51a
SHA1a4bd01f828454f3619a815dbe5423b181ec4051c
SHA256f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
SHA512965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa
-
Filesize
632B
MD58f6a2e09ace79158461b82d74ff6c7fd
SHA188f079fd001feb2cb302565b87fdb81c8995dd93
SHA256b4bee76334ab9b4b0bdd2bff1b3f3a7b30d2e758bb8d4c6e457c9594bb62960c
SHA512869305ea12f21564e56882fef318cdc21f88715f894e8140ae6b2cf3137a4c2002a34f2f8ae2719f770e2d0c892244b5e5f3229f1382e799dd309f52657cb98e