Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 14:18
Static task
static1
Behavioral task
behavioral1
Sample
1b31ff9e48880dcb6e186bb23c8cd2a7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1b31ff9e48880dcb6e186bb23c8cd2a7.exe
Resource
win10v2004-20231215-en
General
-
Target
1b31ff9e48880dcb6e186bb23c8cd2a7.exe
-
Size
469KB
-
MD5
1b31ff9e48880dcb6e186bb23c8cd2a7
-
SHA1
0b542a53b64c754e2daef53195e51a6acfa9844c
-
SHA256
45d4487f538c4676a22ee12edb575012740fbaa1395efa4cc6319c8796e1f61f
-
SHA512
d8e96e02273f64ef4348e3e1370c94f0183853aed65d7dfbce2d6786241eed9dfac79a3dbbd5582d1432c0da0bba6ce92448f2ac97cb9fad53bcfcc8a93dec48
-
SSDEEP
12288:Wb7jkD3v0VBRxE5MBGlcM7UdrAs7UZWG1j3FLiUh:Wb3w3v8BRqEM7UdtU1j35i
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2812 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2440 Internet Explorer.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 1b31ff9e48880dcb6e186bb23c8cd2a7.exe File opened for modification \??\PhysicalDrive0 Internet Explorer.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Internet Explorer.exe 1b31ff9e48880dcb6e186bb23c8cd2a7.exe File opened for modification C:\Windows\Internet Explorer.exe 1b31ff9e48880dcb6e186bb23c8cd2a7.exe File created C:\Windows\HKFX2008.BAT 1b31ff9e48880dcb6e186bb23c8cd2a7.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2644 1b31ff9e48880dcb6e186bb23c8cd2a7.exe Token: SeDebugPrivilege 2440 Internet Explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2440 Internet Explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2808 2440 Internet Explorer.exe 29 PID 2440 wrote to memory of 2808 2440 Internet Explorer.exe 29 PID 2440 wrote to memory of 2808 2440 Internet Explorer.exe 29 PID 2440 wrote to memory of 2808 2440 Internet Explorer.exe 29 PID 2644 wrote to memory of 2812 2644 1b31ff9e48880dcb6e186bb23c8cd2a7.exe 30 PID 2644 wrote to memory of 2812 2644 1b31ff9e48880dcb6e186bb23c8cd2a7.exe 30 PID 2644 wrote to memory of 2812 2644 1b31ff9e48880dcb6e186bb23c8cd2a7.exe 30 PID 2644 wrote to memory of 2812 2644 1b31ff9e48880dcb6e186bb23c8cd2a7.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b31ff9e48880dcb6e186bb23c8cd2a7.exe"C:\Users\Admin\AppData\Local\Temp\1b31ff9e48880dcb6e186bb23c8cd2a7.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\HKFX2008.BAT2⤵
- Deletes itself
PID:2812
-
-
C:\Windows\Internet Explorer.exe"C:\Windows\Internet Explorer.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190B
MD57e8a42f96e1f2ee8c17c0ff1f12fc417
SHA111f223d139efdbee3a4fd9511ab67e243e3a1db1
SHA256c6430b8da214ec12b709a14eeb4558d4d88e1539689993fb9924caa90d3ee810
SHA512b82af9b0ca153287cbb9bfd6757ae067bc684256d6a41743699431ac2883d690fac8ffe59516db4a9156b1796190ce132b6d758754ff4155907b6b224e92fc1e
-
Filesize
469KB
MD51b31ff9e48880dcb6e186bb23c8cd2a7
SHA10b542a53b64c754e2daef53195e51a6acfa9844c
SHA25645d4487f538c4676a22ee12edb575012740fbaa1395efa4cc6319c8796e1f61f
SHA512d8e96e02273f64ef4348e3e1370c94f0183853aed65d7dfbce2d6786241eed9dfac79a3dbbd5582d1432c0da0bba6ce92448f2ac97cb9fad53bcfcc8a93dec48