Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
177s -
max time network
193s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 12:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe
Resource
win7-20231215-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe
-
Size
245KB
-
MD5
ea34ac6bf9e8a70bec84e37afeea458a
-
SHA1
fd443460ccd1110b0a77385f2f66a38d3f527966
-
SHA256
fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3
-
SHA512
d3bb774467813d0f1e0a8e046dc14a4b372bdd61a6c5448c3b296e09f5f9f7493167b82aa7a6824979154f538ba05178af23247c55e7688fa78414168c13dbfa
-
SSDEEP
3072:ZO459Ejzjz10wKaEcKBIacm6QBDOmkm9wXcIfGBF5UgbB67Z:T8HzKxhcKB0VQBLk7XcIkbkt
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 2820 vssvc.exe Token: SeRestorePrivilege 2820 vssvc.exe Token: SeAuditPrivilege 2820 vssvc.exe Token: SeIncreaseQuotaPrivilege 640 WMIC.exe Token: SeSecurityPrivilege 640 WMIC.exe Token: SeTakeOwnershipPrivilege 640 WMIC.exe Token: SeLoadDriverPrivilege 640 WMIC.exe Token: SeSystemProfilePrivilege 640 WMIC.exe Token: SeSystemtimePrivilege 640 WMIC.exe Token: SeProfSingleProcessPrivilege 640 WMIC.exe Token: SeIncBasePriorityPrivilege 640 WMIC.exe Token: SeCreatePagefilePrivilege 640 WMIC.exe Token: SeBackupPrivilege 640 WMIC.exe Token: SeRestorePrivilege 640 WMIC.exe Token: SeShutdownPrivilege 640 WMIC.exe Token: SeDebugPrivilege 640 WMIC.exe Token: SeSystemEnvironmentPrivilege 640 WMIC.exe Token: SeRemoteShutdownPrivilege 640 WMIC.exe Token: SeUndockPrivilege 640 WMIC.exe Token: SeManageVolumePrivilege 640 WMIC.exe Token: 33 640 WMIC.exe Token: 34 640 WMIC.exe Token: 35 640 WMIC.exe Token: SeIncreaseQuotaPrivilege 640 WMIC.exe Token: SeSecurityPrivilege 640 WMIC.exe Token: SeTakeOwnershipPrivilege 640 WMIC.exe Token: SeLoadDriverPrivilege 640 WMIC.exe Token: SeSystemProfilePrivilege 640 WMIC.exe Token: SeSystemtimePrivilege 640 WMIC.exe Token: SeProfSingleProcessPrivilege 640 WMIC.exe Token: SeIncBasePriorityPrivilege 640 WMIC.exe Token: SeCreatePagefilePrivilege 640 WMIC.exe Token: SeBackupPrivilege 640 WMIC.exe Token: SeRestorePrivilege 640 WMIC.exe Token: SeShutdownPrivilege 640 WMIC.exe Token: SeDebugPrivilege 640 WMIC.exe Token: SeSystemEnvironmentPrivilege 640 WMIC.exe Token: SeRemoteShutdownPrivilege 640 WMIC.exe Token: SeUndockPrivilege 640 WMIC.exe Token: SeManageVolumePrivilege 640 WMIC.exe Token: 33 640 WMIC.exe Token: 34 640 WMIC.exe Token: 35 640 WMIC.exe Token: SeIncreaseQuotaPrivilege 1708 WMIC.exe Token: SeSecurityPrivilege 1708 WMIC.exe Token: SeTakeOwnershipPrivilege 1708 WMIC.exe Token: SeLoadDriverPrivilege 1708 WMIC.exe Token: SeSystemProfilePrivilege 1708 WMIC.exe Token: SeSystemtimePrivilege 1708 WMIC.exe Token: SeProfSingleProcessPrivilege 1708 WMIC.exe Token: SeIncBasePriorityPrivilege 1708 WMIC.exe Token: SeCreatePagefilePrivilege 1708 WMIC.exe Token: SeBackupPrivilege 1708 WMIC.exe Token: SeRestorePrivilege 1708 WMIC.exe Token: SeShutdownPrivilege 1708 WMIC.exe Token: SeDebugPrivilege 1708 WMIC.exe Token: SeSystemEnvironmentPrivilege 1708 WMIC.exe Token: SeRemoteShutdownPrivilege 1708 WMIC.exe Token: SeUndockPrivilege 1708 WMIC.exe Token: SeManageVolumePrivilege 1708 WMIC.exe Token: 33 1708 WMIC.exe Token: 34 1708 WMIC.exe Token: 35 1708 WMIC.exe Token: SeIncreaseQuotaPrivilege 1612 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2600 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 33 PID 2636 wrote to memory of 2600 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 33 PID 2636 wrote to memory of 2600 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 33 PID 2600 wrote to memory of 640 2600 cmd.exe 34 PID 2600 wrote to memory of 640 2600 cmd.exe 34 PID 2600 wrote to memory of 640 2600 cmd.exe 34 PID 2636 wrote to memory of 1900 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 35 PID 2636 wrote to memory of 1900 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 35 PID 2636 wrote to memory of 1900 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 35 PID 1900 wrote to memory of 1708 1900 cmd.exe 37 PID 1900 wrote to memory of 1708 1900 cmd.exe 37 PID 1900 wrote to memory of 1708 1900 cmd.exe 37 PID 2636 wrote to memory of 2472 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 38 PID 2636 wrote to memory of 2472 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 38 PID 2636 wrote to memory of 2472 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 38 PID 2472 wrote to memory of 1612 2472 cmd.exe 40 PID 2472 wrote to memory of 1612 2472 cmd.exe 40 PID 2472 wrote to memory of 1612 2472 cmd.exe 40 PID 2636 wrote to memory of 1368 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 41 PID 2636 wrote to memory of 1368 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 41 PID 2636 wrote to memory of 1368 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 41 PID 1368 wrote to memory of 1416 1368 cmd.exe 42 PID 1368 wrote to memory of 1416 1368 cmd.exe 42 PID 1368 wrote to memory of 1416 1368 cmd.exe 42 PID 2636 wrote to memory of 2148 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 45 PID 2636 wrote to memory of 2148 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 45 PID 2636 wrote to memory of 2148 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 45 PID 2148 wrote to memory of 2996 2148 cmd.exe 46 PID 2148 wrote to memory of 2996 2148 cmd.exe 46 PID 2148 wrote to memory of 2996 2148 cmd.exe 46 PID 2636 wrote to memory of 2016 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 47 PID 2636 wrote to memory of 2016 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 47 PID 2636 wrote to memory of 2016 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 47 PID 2016 wrote to memory of 540 2016 cmd.exe 48 PID 2016 wrote to memory of 540 2016 cmd.exe 48 PID 2016 wrote to memory of 540 2016 cmd.exe 48 PID 2636 wrote to memory of 1728 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 50 PID 2636 wrote to memory of 1728 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 50 PID 2636 wrote to memory of 1728 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 50 PID 1728 wrote to memory of 396 1728 cmd.exe 52 PID 1728 wrote to memory of 396 1728 cmd.exe 52 PID 1728 wrote to memory of 396 1728 cmd.exe 52 PID 2636 wrote to memory of 1800 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 53 PID 2636 wrote to memory of 1800 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 53 PID 2636 wrote to memory of 1800 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 53 PID 1800 wrote to memory of 1688 1800 cmd.exe 55 PID 1800 wrote to memory of 1688 1800 cmd.exe 55 PID 1800 wrote to memory of 1688 1800 cmd.exe 55 PID 2636 wrote to memory of 1540 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 56 PID 2636 wrote to memory of 1540 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 56 PID 2636 wrote to memory of 1540 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 56 PID 1540 wrote to memory of 2852 1540 cmd.exe 58 PID 1540 wrote to memory of 2852 1540 cmd.exe 58 PID 1540 wrote to memory of 2852 1540 cmd.exe 58 PID 2636 wrote to memory of 744 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 59 PID 2636 wrote to memory of 744 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 59 PID 2636 wrote to memory of 744 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 59 PID 744 wrote to memory of 1504 744 cmd.exe 61 PID 744 wrote to memory of 1504 744 cmd.exe 61 PID 744 wrote to memory of 1504 744 cmd.exe 61 PID 2636 wrote to memory of 624 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 62 PID 2636 wrote to memory of 624 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 62 PID 2636 wrote to memory of 624 2636 fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe 62 PID 624 wrote to memory of 2436 624 cmd.exe 64 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe"C:\Users\Admin\AppData\Local\Temp\fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1ACCE991-7EC0-49B2-8058-663F661BE4D1}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1ACCE991-7EC0-49B2-8058-663F661BE4D1}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1DB881E5-2E43-48EC-A280-39F177E7FA72}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1DB881E5-2E43-48EC-A280-39F177E7FA72}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{402010B7-A1EB-4FB7-BA27-097A813436FE}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{402010B7-A1EB-4FB7-BA27-097A813436FE}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4D8DA8F4-A898-4757-B0C9-55F314803414}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4D8DA8F4-A898-4757-B0C9-55F314803414}'" delete3⤵PID:1416
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9AFFB13-CB40-485F-B606-61DC8F14E7E8}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9AFFB13-CB40-485F-B606-61DC8F14E7E8}'" delete3⤵PID:2996
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E69CDFA-9CAD-4EA2-99AE-97DC2C8B5DB1}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0E69CDFA-9CAD-4EA2-99AE-97DC2C8B5DB1}'" delete3⤵PID:540
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3ECECCE5-21A1-4E80-BE04-D99CF44E4C69}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3ECECCE5-21A1-4E80-BE04-D99CF44E4C69}'" delete3⤵PID:396
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F16835C0-470A-4E1F-8D86-2A308F5BA75B}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F16835C0-470A-4E1F-8D86-2A308F5BA75B}'" delete3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2F3AD5D4-8287-4C50-95B7-724958AE4211}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2F3AD5D4-8287-4C50-95B7-724958AE4211}'" delete3⤵PID:2852
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FDDACB6D-3202-4C72-BB1F-055D97D07A13}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FDDACB6D-3202-4C72-BB1F-055D97D07A13}'" delete3⤵PID:1504
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B0D5AF10-F855-40AD-82AE-8CFF2C9ECA61}'" delete2⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B0D5AF10-F855-40AD-82AE-8CFF2C9ECA61}'" delete3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3DCDAA6-B2F0-4732-A304-B3FD67B6195D}'" delete2⤵PID:2360
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3DCDAA6-B2F0-4732-A304-B3FD67B6195D}'" delete3⤵PID:2068
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AEEE01A-55B3-4ED4-9386-41F40128EF89}'" delete2⤵PID:1700
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7AEEE01A-55B3-4ED4-9386-41F40128EF89}'" delete3⤵PID:3032
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{011E455E-C5C1-4863-B238-D0F321EB828E}'" delete2⤵PID:2248
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{011E455E-C5C1-4863-B238-D0F321EB828E}'" delete3⤵PID:1716
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2599833D-8A3F-4A4D-B798-EF8E2805662E}'" delete2⤵PID:1064
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2599833D-8A3F-4A4D-B798-EF8E2805662E}'" delete3⤵PID:1744
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D18D436D-A90D-4B4B-A4A8-88F17A9B12C0}'" delete2⤵PID:2912
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D18D436D-A90D-4B4B-A4A8-88F17A9B12C0}'" delete3⤵PID:2304
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D11847C7-6BA6-4CA5-AA60-B8628F67786F}'" delete2⤵PID:2572
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D11847C7-6BA6-4CA5-AA60-B8628F67786F}'" delete3⤵PID:2224
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5DEDB20D-F762-4E01-B812-7272288DCD0F}'" delete2⤵PID:1732
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5DEDB20D-F762-4E01-B812-7272288DCD0F}'" delete1⤵PID:3056