Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/01/2024, 07:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
40364d01c669fec853b9aae03344ab0e.exe
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
40364d01c669fec853b9aae03344ab0e.exe
Resource
win10v2004-20231215-en
4 signatures
150 seconds
General
-
Target
40364d01c669fec853b9aae03344ab0e.exe
-
Size
1.6MB
-
MD5
40364d01c669fec853b9aae03344ab0e
-
SHA1
4b90f3bd2237f8ca32ade818c6019be6c75f4182
-
SHA256
1b17cbb75b5fc4b746761e0ba24ecd78084eaf885208f4d6d42170d081a0b8d4
-
SHA512
14a76763794fa4d085aaa003e4e9dfc15f9ef6b2b7521caf514c65080cfc67324f754a5176b42cdb6f8b1d12a2e4685ee30c533b6073884e05db26384e2aa402
-
SSDEEP
24576:Eb5kSYaLTVlwfmnAwYW4Qogjc7u0RkUsrS6p7Vb3hvhpmTChf6dnPhYnc0wa+cgE:Eb5k2L5KoAwUwc7u01GZVbxKCAPfU
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2996 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 848 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3048 40364d01c669fec853b9aae03344ab0e.exe 3048 40364d01c669fec853b9aae03344ab0e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3048 40364d01c669fec853b9aae03344ab0e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2996 3048 40364d01c669fec853b9aae03344ab0e.exe 28 PID 3048 wrote to memory of 2996 3048 40364d01c669fec853b9aae03344ab0e.exe 28 PID 3048 wrote to memory of 2996 3048 40364d01c669fec853b9aae03344ab0e.exe 28 PID 2996 wrote to memory of 848 2996 cmd.exe 30 PID 2996 wrote to memory of 848 2996 cmd.exe 30 PID 2996 wrote to memory of 848 2996 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\40364d01c669fec853b9aae03344ab0e.exe"C:\Users\Admin\AppData\Local\Temp\40364d01c669fec853b9aae03344ab0e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\40364d01c669fec853b9aae03344ab0e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:848
-
-