Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 19:46
Behavioral task
behavioral1
Sample
3909a0bcc36e45cd8c2b7a6e176bbed8.exe
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
3909a0bcc36e45cd8c2b7a6e176bbed8.exe
Resource
win10v2004-20231215-en
2 signatures
150 seconds
General
-
Target
3909a0bcc36e45cd8c2b7a6e176bbed8.exe
-
Size
59KB
-
MD5
3909a0bcc36e45cd8c2b7a6e176bbed8
-
SHA1
2082bfa1f696bf6ffc5776a6e4e3714e59689c88
-
SHA256
9441f1ddb6da339269ef9c0c3141e290bf32a027b6f797dc5237eb7b489364ed
-
SHA512
a3360f5c78fcf494d09c99c18a07e33ac56261b5c7371b9eb2a7c4760e8c388c49fe6034b65ffd04ed023f6352bdb85e5fa913a54e892b50858492b7b311665e
-
SSDEEP
768:GFoWTi7VKJKT0OWs5TtWERYImI7YSNyPtGJiIf6hYyIGfMrSnshKubehypRl4TM0:CbT0QRs5TQxUGwf6bsr5Sh2Rl4h5z
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2636-0-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2568 2636 WerFault.exe 14 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2636 3909a0bcc36e45cd8c2b7a6e176bbed8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2636 3909a0bcc36e45cd8c2b7a6e176bbed8.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2568 2636 3909a0bcc36e45cd8c2b7a6e176bbed8.exe 29 PID 2636 wrote to memory of 2568 2636 3909a0bcc36e45cd8c2b7a6e176bbed8.exe 29 PID 2636 wrote to memory of 2568 2636 3909a0bcc36e45cd8c2b7a6e176bbed8.exe 29 PID 2636 wrote to memory of 2568 2636 3909a0bcc36e45cd8c2b7a6e176bbed8.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3909a0bcc36e45cd8c2b7a6e176bbed8.exe"C:\Users\Admin\AppData\Local\Temp\3909a0bcc36e45cd8c2b7a6e176bbed8.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 3082⤵
- Program crash
PID:2568
-