Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 11:12
Static task
static1
Behavioral task
behavioral1
Sample
16db8a8242583743a29f612d7055b390.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
16db8a8242583743a29f612d7055b390.exe
Resource
win10v2004-20231222-en
General
-
Target
16db8a8242583743a29f612d7055b390.exe
-
Size
24KB
-
MD5
16db8a8242583743a29f612d7055b390
-
SHA1
4e9dd0c3a451fb0fc672b6b0dafc1fa46931b06e
-
SHA256
d2bc58131a12c9c55296c84310649e8037a92bab3fa1140b86fd457571a286f4
-
SHA512
7328995cb0b62c1e926dca256eba58e2816e740c8d3a4713011afab146755494383f0ce02007a9956c434501b83be3451c9c1eba0b04c854294b391aad157e29
-
SSDEEP
384:E3eVES+/xwGkRKJi/GSglM61qmTTMVF9/q5j/0:bGS+ZfbJTO8qYoAw
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 16db8a8242583743a29f612d7055b390.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 16db8a8242583743a29f612d7055b390.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1124 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2016 ipconfig.exe 2684 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1124 tasklist.exe Token: SeDebugPrivilege 2684 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2360 16db8a8242583743a29f612d7055b390.exe 2360 16db8a8242583743a29f612d7055b390.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2368 2360 16db8a8242583743a29f612d7055b390.exe 16 PID 2360 wrote to memory of 2368 2360 16db8a8242583743a29f612d7055b390.exe 16 PID 2360 wrote to memory of 2368 2360 16db8a8242583743a29f612d7055b390.exe 16 PID 2360 wrote to memory of 2368 2360 16db8a8242583743a29f612d7055b390.exe 16 PID 2368 wrote to memory of 2988 2368 cmd.exe 23 PID 2368 wrote to memory of 2988 2368 cmd.exe 23 PID 2368 wrote to memory of 2988 2368 cmd.exe 23 PID 2368 wrote to memory of 2988 2368 cmd.exe 23 PID 2368 wrote to memory of 2016 2368 cmd.exe 17 PID 2368 wrote to memory of 2016 2368 cmd.exe 17 PID 2368 wrote to memory of 2016 2368 cmd.exe 17 PID 2368 wrote to memory of 2016 2368 cmd.exe 17 PID 2368 wrote to memory of 1124 2368 cmd.exe 18 PID 2368 wrote to memory of 1124 2368 cmd.exe 18 PID 2368 wrote to memory of 1124 2368 cmd.exe 18 PID 2368 wrote to memory of 1124 2368 cmd.exe 18 PID 2368 wrote to memory of 2580 2368 cmd.exe 22 PID 2368 wrote to memory of 2580 2368 cmd.exe 22 PID 2368 wrote to memory of 2580 2368 cmd.exe 22 PID 2368 wrote to memory of 2580 2368 cmd.exe 22 PID 2580 wrote to memory of 2660 2580 net.exe 20 PID 2580 wrote to memory of 2660 2580 net.exe 20 PID 2580 wrote to memory of 2660 2580 net.exe 20 PID 2580 wrote to memory of 2660 2580 net.exe 20 PID 2368 wrote to memory of 2684 2368 cmd.exe 21 PID 2368 wrote to memory of 2684 2368 cmd.exe 21 PID 2368 wrote to memory of 2684 2368 cmd.exe 21 PID 2368 wrote to memory of 2684 2368 cmd.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\16db8a8242583743a29f612d7055b390.exe"C:\Users\Admin\AppData\Local\Temp\16db8a8242583743a29f612d7055b390.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2016
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2580
-
-
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2988
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start1⤵PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD508f953595317535e35d9e8ef28a8091e
SHA1d4305511b3d1691ff99fb827cbdf5bb281483e1d
SHA256d58dbd83b701c50190ae2e7a31c5b2bcdc7a9e0c8b070a0f3d545b465a74b844
SHA512ef532080a9eb5f7920affe221d1c08ed70b060d0aee7def280eaeb922b633daaab4bbbab8f54bc981652715dc0982cb059cddd466d9a9e9eadcb4fccdecf9ddc