Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 10:08
Static task
static1
Behavioral task
behavioral1
Sample
4b2636d5375fabaf5210326d7ddf380a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4b2636d5375fabaf5210326d7ddf380a.exe
Resource
win10v2004-20231222-en
General
-
Target
4b2636d5375fabaf5210326d7ddf380a.exe
-
Size
14.4MB
-
MD5
4b2636d5375fabaf5210326d7ddf380a
-
SHA1
1a2de55ee081916d168c71bc917cd39b94332d8c
-
SHA256
bb7772836afc601ff0ece2b2f1ebe85ffe73392baf08a993ae8330fdb9b04ce8
-
SHA512
09d8b92fb0fb501e3cae709786a8f6f52434d1ae5ea03100aa69c427478b6165e6fa70776ec0ff652f1e7ece1128dc25a5328d02a022294de244236212004ff2
-
SSDEEP
49152:yyjfVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVH:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2580 netsh.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2992 sc.exe 2788 sc.exe 2720 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1740 wrote to memory of 1732 1740 4b2636d5375fabaf5210326d7ddf380a.exe 28 PID 1740 wrote to memory of 1732 1740 4b2636d5375fabaf5210326d7ddf380a.exe 28 PID 1740 wrote to memory of 1732 1740 4b2636d5375fabaf5210326d7ddf380a.exe 28 PID 1740 wrote to memory of 1732 1740 4b2636d5375fabaf5210326d7ddf380a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b2636d5375fabaf5210326d7ddf380a.exe"C:\Users\Admin\AppData\Local\Temp\4b2636d5375fabaf5210326d7ddf380a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\plkqifff\2⤵PID:1732
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\npkqjwg.exe" C:\Windows\SysWOW64\plkqifff\2⤵PID:1852
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create plkqifff binPath= "C:\Windows\SysWOW64\plkqifff\npkqjwg.exe /d\"C:\Users\Admin\AppData\Local\Temp\4b2636d5375fabaf5210326d7ddf380a.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2992
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description plkqifff "wifi internet conection"2⤵
- Launches sc.exe
PID:2788
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start plkqifff2⤵
- Launches sc.exe
PID:2720
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2580
-
-
C:\Windows\SysWOW64\plkqifff\npkqjwg.exeC:\Windows\SysWOW64\plkqifff\npkqjwg.exe /d"C:\Users\Admin\AppData\Local\Temp\4b2636d5375fabaf5210326d7ddf380a.exe"1⤵PID:2708
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2744
-