Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
0aa5880279785eb51d925794901bf1ea.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0aa5880279785eb51d925794901bf1ea.exe
Resource
win10v2004-20231215-en
General
-
Target
0aa5880279785eb51d925794901bf1ea.exe
-
Size
551KB
-
MD5
0aa5880279785eb51d925794901bf1ea
-
SHA1
e4b82bbc3a494149f97b6530d17a71c2ac8552ee
-
SHA256
e6a8753ea5da55b38bc6ba5b81e4727e8ffb429912204c586950e6df002b50e3
-
SHA512
6da61f0088a7f851e726afb58c3c8f4c2d1463d34f1aeddceae74f3e8acec1cd9abd0471f896ca7e424256dc491ef9684ad38f6b8a12616fee4f30a0183c1218
-
SSDEEP
12288:xs1Q0RGXqkAvRbQxARoOaqObVHQo30ve2vZd4:x0fPpJoOaHyRGsZK
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2888 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2808 360tray -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\360tray 0aa5880279785eb51d925794901bf1ea.exe File created C:\Windows\uninstal.bat 0aa5880279785eb51d925794901bf1ea.exe File created C:\Windows\360tray 0aa5880279785eb51d925794901bf1ea.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2476 0aa5880279785eb51d925794901bf1ea.exe Token: SeDebugPrivilege 2808 360tray -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2808 360tray -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2808 wrote to memory of 3028 2808 360tray 29 PID 2808 wrote to memory of 3028 2808 360tray 29 PID 2808 wrote to memory of 3028 2808 360tray 29 PID 2808 wrote to memory of 3028 2808 360tray 29 PID 2476 wrote to memory of 2888 2476 0aa5880279785eb51d925794901bf1ea.exe 31 PID 2476 wrote to memory of 2888 2476 0aa5880279785eb51d925794901bf1ea.exe 31 PID 2476 wrote to memory of 2888 2476 0aa5880279785eb51d925794901bf1ea.exe 31 PID 2476 wrote to memory of 2888 2476 0aa5880279785eb51d925794901bf1ea.exe 31 PID 2476 wrote to memory of 2888 2476 0aa5880279785eb51d925794901bf1ea.exe 31 PID 2476 wrote to memory of 2888 2476 0aa5880279785eb51d925794901bf1ea.exe 31 PID 2476 wrote to memory of 2888 2476 0aa5880279785eb51d925794901bf1ea.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aa5880279785eb51d925794901bf1ea.exe"C:\Users\Admin\AppData\Local\Temp\0aa5880279785eb51d925794901bf1ea.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
PID:2888
-
-
C:\Windows\360trayC:\Windows\360tray1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:3028
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
551KB
MD50aa5880279785eb51d925794901bf1ea
SHA1e4b82bbc3a494149f97b6530d17a71c2ac8552ee
SHA256e6a8753ea5da55b38bc6ba5b81e4727e8ffb429912204c586950e6df002b50e3
SHA5126da61f0088a7f851e726afb58c3c8f4c2d1463d34f1aeddceae74f3e8acec1cd9abd0471f896ca7e424256dc491ef9684ad38f6b8a12616fee4f30a0183c1218
-
Filesize
190B
MD5204288cdc6589d41771a55c6105231c0
SHA1302746f7ab9f8c8230866b952f5fb80d2c6da49f
SHA256faa27d318c4f4a962a2d77b058f3033bf2d2a4007e0c99ac43e53ac5ee042909
SHA512caafc2e09b55b8a71624459c9043a33abbf09e8d350a86e545a10c137fb1bbc9975521efcaba4c0a59c6fc53e23d8490edae8e1deeaa4be2d41e89b007107258