Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
82s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 23:21
Behavioral task
behavioral1
Sample
06c6660d4fd004b01023b32364c1082c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
06c6660d4fd004b01023b32364c1082c.exe
Resource
win10v2004-20231215-en
General
-
Target
06c6660d4fd004b01023b32364c1082c.exe
-
Size
17KB
-
MD5
06c6660d4fd004b01023b32364c1082c
-
SHA1
fdbbdaf5df0e0deda1ccdf8734180c0ca2f26256
-
SHA256
86b5dc538603c5f40164e7a70b1605fbcbd274f7ae8d6b5d774b0c49a568a015
-
SHA512
2703a208103f307dd15412d8af7753b70bb5ad0eeca3b31ca4bea3ec013a51ee4c24507d011c337169e78a62b607a524a8e1dfe873ff6fe98442ba243a7fd15d
-
SSDEEP
384:njb2KK8qY5m2en32YKzWk0J0TXRasQDj77:jw8Dne32YKzWkOKXXC7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\PCIDump.sys 06c6660d4fd004b01023b32364c1082c.exe -
Executes dropped EXE 1 IoCs
pid Process 2748 WinHelp32.exe -
Loads dropped DLL 2 IoCs
pid Process 1516 06c6660d4fd004b01023b32364c1082c.exe 1516 06c6660d4fd004b01023b32364c1082c.exe -
resource yara_rule behavioral1/memory/1516-0-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/files/0x001000000000b1f5-6.dat upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinHelp32.exe 06c6660d4fd004b01023b32364c1082c.exe File opened for modification C:\Windows\SysWOW64\WinHelp32.exe 06c6660d4fd004b01023b32364c1082c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1516 06c6660d4fd004b01023b32364c1082c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1516 wrote to memory of 2748 1516 06c6660d4fd004b01023b32364c1082c.exe 27 PID 1516 wrote to memory of 2748 1516 06c6660d4fd004b01023b32364c1082c.exe 27 PID 1516 wrote to memory of 2748 1516 06c6660d4fd004b01023b32364c1082c.exe 27 PID 1516 wrote to memory of 2748 1516 06c6660d4fd004b01023b32364c1082c.exe 27 PID 1516 wrote to memory of 2832 1516 06c6660d4fd004b01023b32364c1082c.exe 28 PID 1516 wrote to memory of 2832 1516 06c6660d4fd004b01023b32364c1082c.exe 28 PID 1516 wrote to memory of 2832 1516 06c6660d4fd004b01023b32364c1082c.exe 28 PID 1516 wrote to memory of 2832 1516 06c6660d4fd004b01023b32364c1082c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\06c6660d4fd004b01023b32364c1082c.exe"C:\Users\Admin\AppData\Local\Temp\06c6660d4fd004b01023b32364c1082c.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\WinHelp32.exe"C:\Windows\system32\WinHelp32.exe"2⤵
- Executes dropped EXE
PID:2748
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\06C666~1.EXE > nul2⤵PID:2832
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD506c6660d4fd004b01023b32364c1082c
SHA1fdbbdaf5df0e0deda1ccdf8734180c0ca2f26256
SHA25686b5dc538603c5f40164e7a70b1605fbcbd274f7ae8d6b5d774b0c49a568a015
SHA5122703a208103f307dd15412d8af7753b70bb5ad0eeca3b31ca4bea3ec013a51ee4c24507d011c337169e78a62b607a524a8e1dfe873ff6fe98442ba243a7fd15d