Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 03:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25ba528d468f04dfa5ff443756901f13.exe
Resource
win7-20231129-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
25ba528d468f04dfa5ff443756901f13.exe
Resource
win10v2004-20231222-en
0 signatures
150 seconds
General
-
Target
25ba528d468f04dfa5ff443756901f13.exe
-
Size
316KB
-
MD5
25ba528d468f04dfa5ff443756901f13
-
SHA1
964682f56bc013c11415d7b885b25c107434af01
-
SHA256
1ee4561ebaca3a9089ea83434f660db926d21cdcd89520f258cbc1626d8e8d43
-
SHA512
d4760bf9574730ca44c44d21f7e405f8be02c24279d81c261616d4c48ac25ea931a1f76942ecb5f63609a1c6af60fb18eb3312840a2788d19bce8279f8aec2b9
-
SSDEEP
6144:FUORK1ttbV3kSobTYZGiNdniCoh+KiE5B3Lz6aU:FytbV3kSoXaLnToslyB3LU
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2404 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2856 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2988 25ba528d468f04dfa5ff443756901f13.exe 2988 25ba528d468f04dfa5ff443756901f13.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2988 25ba528d468f04dfa5ff443756901f13.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2404 2988 25ba528d468f04dfa5ff443756901f13.exe 18 PID 2988 wrote to memory of 2404 2988 25ba528d468f04dfa5ff443756901f13.exe 18 PID 2988 wrote to memory of 2404 2988 25ba528d468f04dfa5ff443756901f13.exe 18 PID 2404 wrote to memory of 2856 2404 cmd.exe 16 PID 2404 wrote to memory of 2856 2404 cmd.exe 16 PID 2404 wrote to memory of 2856 2404 cmd.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\25ba528d468f04dfa5ff443756901f13.exe"C:\Users\Admin\AppData\Local\Temp\25ba528d468f04dfa5ff443756901f13.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\25ba528d468f04dfa5ff443756901f13.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2404
-
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60001⤵
- Runs ping.exe
PID:2856