Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
0ad6364e0eb5e1c76ce0653277bd3fb6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0ad6364e0eb5e1c76ce0653277bd3fb6.exe
Resource
win10v2004-20231215-en
General
-
Target
0ad6364e0eb5e1c76ce0653277bd3fb6.exe
-
Size
24KB
-
MD5
0ad6364e0eb5e1c76ce0653277bd3fb6
-
SHA1
b36a36472d95d6425c814812404faaefc14804ba
-
SHA256
7e35274d060ebe4c97ea6d499742967bbdd41403ebda9070b612dda0a35a6c49
-
SHA512
ef9c2979d1268c4ddd38a73509ec7e28148e1277e8b934da3cf821022e3e20f6a710e0e61b6d3cd7ec600e1f45aac17f21ae479f95059384be17d5adc269d5ca
-
SSDEEP
384:E3eVES+/xwGkRKJEg/plM61qmTTMVF9/q5T0:bGS+ZfbJPO8qYoAY
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 0ad6364e0eb5e1c76ce0653277bd3fb6.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 0ad6364e0eb5e1c76ce0653277bd3fb6.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2176 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 3052 ipconfig.exe 2752 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2176 tasklist.exe Token: SeDebugPrivilege 2752 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2928 0ad6364e0eb5e1c76ce0653277bd3fb6.exe 2928 0ad6364e0eb5e1c76ce0653277bd3fb6.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2992 2928 0ad6364e0eb5e1c76ce0653277bd3fb6.exe 23 PID 2928 wrote to memory of 2992 2928 0ad6364e0eb5e1c76ce0653277bd3fb6.exe 23 PID 2928 wrote to memory of 2992 2928 0ad6364e0eb5e1c76ce0653277bd3fb6.exe 23 PID 2928 wrote to memory of 2992 2928 0ad6364e0eb5e1c76ce0653277bd3fb6.exe 23 PID 2992 wrote to memory of 2872 2992 cmd.exe 15 PID 2992 wrote to memory of 2872 2992 cmd.exe 15 PID 2992 wrote to memory of 2872 2992 cmd.exe 15 PID 2992 wrote to memory of 2872 2992 cmd.exe 15 PID 2992 wrote to memory of 3052 2992 cmd.exe 16 PID 2992 wrote to memory of 3052 2992 cmd.exe 16 PID 2992 wrote to memory of 3052 2992 cmd.exe 16 PID 2992 wrote to memory of 3052 2992 cmd.exe 16 PID 2992 wrote to memory of 2176 2992 cmd.exe 17 PID 2992 wrote to memory of 2176 2992 cmd.exe 17 PID 2992 wrote to memory of 2176 2992 cmd.exe 17 PID 2992 wrote to memory of 2176 2992 cmd.exe 17 PID 2992 wrote to memory of 2668 2992 cmd.exe 21 PID 2992 wrote to memory of 2668 2992 cmd.exe 21 PID 2992 wrote to memory of 2668 2992 cmd.exe 21 PID 2992 wrote to memory of 2668 2992 cmd.exe 21 PID 2668 wrote to memory of 2672 2668 net.exe 20 PID 2668 wrote to memory of 2672 2668 net.exe 20 PID 2668 wrote to memory of 2672 2668 net.exe 20 PID 2668 wrote to memory of 2672 2668 net.exe 20 PID 2992 wrote to memory of 2752 2992 cmd.exe 19 PID 2992 wrote to memory of 2752 2992 cmd.exe 19 PID 2992 wrote to memory of 2752 2992 cmd.exe 19 PID 2992 wrote to memory of 2752 2992 cmd.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ad6364e0eb5e1c76ce0653277bd3fb6.exe"C:\Users\Admin\AppData\Local\Temp\0ad6364e0eb5e1c76ce0653277bd3fb6.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2992
-
-
C:\Windows\SysWOW64\cmd.execmd /c set1⤵PID:2872
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all1⤵
- Gathers network information
PID:3052
-
C:\Windows\SysWOW64\tasklist.exetasklist1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an1⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start1⤵PID:2672
-
C:\Windows\SysWOW64\net.exenet start1⤵
- Suspicious use of WriteProcessMemory
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5a4c29a0b65f8ddfed453d8b229084f1e
SHA1133d23bf3350cc615fa71d8d07899a2d8f00d2d4
SHA256445ac3607bd498dd9bbb62460676b7f2bbe03c846940cc8c18ddadd8b02c039c
SHA512bd25340c46f337ab10b417fccf5e2deea22edc1fb4d71cba2d4e4ed7ac1519c0333da0ad9d37c3f0ac00d9edfa60e641c5c233edccc9c2a9f54764973b65c358