Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

19d2215ff2...15.exe

windows7-x64

6

19d2215ff2...15.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    0s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 13:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19d2215ff2a61f2c5a5cb88dc7896115.exe

  • Size

    24KB

  • MD5

    19d2215ff2a61f2c5a5cb88dc7896115

  • SHA1

    8d889186c2848091b74e40780a50668404cce3f9

  • SHA256

    afccc63ae40d656ecd3e96dd8238026839b81e1b5cae917fe74e2cd3c2c60102

  • SHA512

    a0a90840f3874cff382d612b03bf71c42c2b690ca63f8d206e986508ee7bd032c7964e9f5a6cc242f5d780d6be096489cea6c11896e7f9e9514d5050a4654717

  • SSDEEP

    384:E3eVES+/xwGkRKJilM61qmTTMVF9/q5c0:bGS+ZfbJiO8qYoAN

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\SysWOW64\cmd.exe
    cmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      2⤵
      • Gathers network information
      PID:2024
    • C:\Windows\SysWOW64\tasklist.exe
      tasklist
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Windows\SysWOW64\net.exe
      net start
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 start
        3⤵
          PID:2604
      • C:\Windows\SysWOW64\NETSTAT.EXE
        netstat -an
        2⤵
        • Gathers network information
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set
        2⤵
          PID:2784
      • C:\Users\Admin\AppData\Local\Temp\19d2215ff2a61f2c5a5cb88dc7896115.exe
        "C:\Users\Admin\AppData\Local\Temp\19d2215ff2a61f2c5a5cb88dc7896115.exe"
        1⤵
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2864

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\windows\temp\flash.log
        Filesize

        8KB

        MD5

        c41acdeeaaa3bb906e62a3e0b8fb522b

        SHA1

        9d51eeacd5f7b28de0b4c4d1e06760e5058b9b46

        SHA256

        5f66f6005e544b911e4ad605981987abe67eb819e6a75e5757fe453d905859a4

        SHA512

        f575f16e451772309ddf2db3a95a66e0bab1c417f04e138c55d3270e4a3592be3030cc48c495dac10059e7d0768cef2729c61231c0ab1d7c4791b38aaa9d8ef8

        Download Submit