Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 16:41
Static task
static1
Behavioral task
behavioral1
Sample
2df142828348d2957d126f31e8343c04.exe
Resource
win7-20231215-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
2df142828348d2957d126f31e8343c04.exe
Resource
win10v2004-20231215-en
5 signatures
150 seconds
General
-
Target
2df142828348d2957d126f31e8343c04.exe
-
Size
1.3MB
-
MD5
2df142828348d2957d126f31e8343c04
-
SHA1
7d372595da310264871a00fd6dfb609afe052f5d
-
SHA256
22f35c559f9aee7f235f08b08003c36d9d7ca43240b47517a0b2aa0fe197135f
-
SHA512
221c76c0c5b32b633e6c167480c6ef693f0610c7f8afa591cb1cf17c4460b62ed7c0d5684953bf10e22d823eec3da5c1c36f442d448acd7a9fd81c2b19349750
-
SSDEEP
24576:UnIAiW5XlHXbH/l4dTPwz8uXq8xAE6g1xNjNx9ovXKAWqcCLxQpQ3KwsW3:CIKNBXkPvD8mE6g13NxSv6A/xAwp
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2120 vKr83A.exe -
Loads dropped DLL 3 IoCs
pid Process 2872 2df142828348d2957d126f31e8343c04.exe 2120 vKr83A.exe 2120 vKr83A.exe -
Use of msiexec (install) with remote resource 1 IoCs
pid Process 2608 MSIEXEC.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2608 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2608 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2608 MSIEXEC.EXE 2608 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2120 2872 2df142828348d2957d126f31e8343c04.exe 19 PID 2872 wrote to memory of 2120 2872 2df142828348d2957d126f31e8343c04.exe 19 PID 2872 wrote to memory of 2120 2872 2df142828348d2957d126f31e8343c04.exe 19 PID 2872 wrote to memory of 2120 2872 2df142828348d2957d126f31e8343c04.exe 19 PID 2872 wrote to memory of 2120 2872 2df142828348d2957d126f31e8343c04.exe 19 PID 2872 wrote to memory of 2120 2872 2df142828348d2957d126f31e8343c04.exe 19 PID 2872 wrote to memory of 2120 2872 2df142828348d2957d126f31e8343c04.exe 19 PID 2120 wrote to memory of 2608 2120 vKr83A.exe 29 PID 2120 wrote to memory of 2608 2120 vKr83A.exe 29 PID 2120 wrote to memory of 2608 2120 vKr83A.exe 29 PID 2120 wrote to memory of 2608 2120 vKr83A.exe 29 PID 2120 wrote to memory of 2608 2120 vKr83A.exe 29 PID 2120 wrote to memory of 2608 2120 vKr83A.exe 29 PID 2120 wrote to memory of 2608 2120 vKr83A.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2df142828348d2957d126f31e8343c04.exe"C:\Users\Admin\AppData\Local\Temp\2df142828348d2957d126f31e8343c04.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\vKr83A.exe"C:\Users\Admin\AppData\Local\Temp\vKr83A.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "http://setup.realtimegaming.com/36175/cdn/sunpalace/Sun Palace Casino20110901014501.msi" DDC_DID=685852 DDC_RTGURL=http://216.93.176.186/dl/TrackSetup/TrackSetup.aspx?DID=685852 DDC_UPDATESTATUSURL=http://196.40.83.82:8080/sunpalacecasino/Lobby.WebServices/Installer.asmx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="vKr83A.exe"3⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2608
-
-