Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 13:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a1e019b7d5b382bd84cbbea8be99d83.exe
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
1a1e019b7d5b382bd84cbbea8be99d83.exe
Resource
win10v2004-20231215-en
4 signatures
150 seconds
General
-
Target
1a1e019b7d5b382bd84cbbea8be99d83.exe
-
Size
1.2MB
-
MD5
1a1e019b7d5b382bd84cbbea8be99d83
-
SHA1
09856f64bc3f01061b257df0864d953497aa6d12
-
SHA256
2ac61f142f417a4676584706bc22ed63969e3dca744b9d3adb0e7547f7944dfe
-
SHA512
80b5635ffd957cd75c9bb82b590bb20e1012d43a5a80b225b99ea8cb564e79181ea32c455ef3c474eeff893344fb8dece6b614bc8c18afa139f898a0a33de2be
-
SSDEEP
24576:Eb5kSYaLTVlx/Hp21/K9G56OWCUCBTfbsIDK1Jxziqs4cdaVECaqqh1X:Eb5k2L53fp21/K9Z2T21LzW+YR
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2664 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3040 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 808 1a1e019b7d5b382bd84cbbea8be99d83.exe 808 1a1e019b7d5b382bd84cbbea8be99d83.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 808 1a1e019b7d5b382bd84cbbea8be99d83.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 808 wrote to memory of 2664 808 1a1e019b7d5b382bd84cbbea8be99d83.exe 19 PID 808 wrote to memory of 2664 808 1a1e019b7d5b382bd84cbbea8be99d83.exe 19 PID 808 wrote to memory of 2664 808 1a1e019b7d5b382bd84cbbea8be99d83.exe 19 PID 2664 wrote to memory of 3040 2664 cmd.exe 18 PID 2664 wrote to memory of 3040 2664 cmd.exe 18 PID 2664 wrote to memory of 3040 2664 cmd.exe 18
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a1e019b7d5b382bd84cbbea8be99d83.exe"C:\Users\Admin\AppData\Local\Temp\1a1e019b7d5b382bd84cbbea8be99d83.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1a1e019b7d5b382bd84cbbea8be99d83.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2664
-
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60001⤵
- Runs ping.exe
PID:3040