Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 00:09
Static task
static1
Behavioral task
behavioral1
Sample
2125bf2b30050fb981357d998968ed50.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2125bf2b30050fb981357d998968ed50.exe
Resource
win10v2004-20231215-en
General
-
Target
2125bf2b30050fb981357d998968ed50.exe
-
Size
10KB
-
MD5
2125bf2b30050fb981357d998968ed50
-
SHA1
7152359f75b98e9eb96ef35ea720eeaf4c028b8a
-
SHA256
34ac353f82317c69f040b864de17c8c7b23f71ae2c1f98e05d8f9c26e7466183
-
SHA512
9fbd73e6e85f6c85e18fd9477f6d798831de8495764b424224ee3dabd5d20654fef6826d32d553269eb28898b2ed0188d09d30ffe15937d5bf4e04d1fe314a5c
-
SSDEEP
192:IOjHx/GOuPoM3qkCAvMP78N4YIT3xBsx/RkSOAdsvtFcxNGf7C:LF/GOugWBZMPy4HL/4/rTsvtFHC
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2532 cmdbcs.exe -
Executes dropped EXE 1 IoCs
pid Process 2532 cmdbcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\cmdbcs = "C:\\Windows\\cmdbcs.exe" cmdbcs.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\cmdbcs.dll cmdbcs.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\cmdbcs.exe 2125bf2b30050fb981357d998968ed50.exe File opened for modification C:\Windows\cmdbcs.exe 2125bf2b30050fb981357d998968ed50.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2532 cmdbcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2976 2125bf2b30050fb981357d998968ed50.exe Token: SeDebugPrivilege 2532 cmdbcs.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2532 2976 2125bf2b30050fb981357d998968ed50.exe 28 PID 2976 wrote to memory of 2532 2976 2125bf2b30050fb981357d998968ed50.exe 28 PID 2976 wrote to memory of 2532 2976 2125bf2b30050fb981357d998968ed50.exe 28 PID 2976 wrote to memory of 2532 2976 2125bf2b30050fb981357d998968ed50.exe 28 PID 2532 wrote to memory of 1216 2532 cmdbcs.exe 7 PID 2532 wrote to memory of 1216 2532 cmdbcs.exe 7
Processes
-
C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe"C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\cmdbcs.exeC:\Windows\cmdbcs.exe @C:\Users\Admin\AppData\Local\Temp\2125bf2b30050fb981357d998968ed50.exe@29762⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD52125bf2b30050fb981357d998968ed50
SHA17152359f75b98e9eb96ef35ea720eeaf4c028b8a
SHA25634ac353f82317c69f040b864de17c8c7b23f71ae2c1f98e05d8f9c26e7466183
SHA5129fbd73e6e85f6c85e18fd9477f6d798831de8495764b424224ee3dabd5d20654fef6826d32d553269eb28898b2ed0188d09d30ffe15937d5bf4e04d1fe314a5c