Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 16:41
Static task
static1
Behavioral task
behavioral1
Sample
4bf04e6b1c367f4beebeddf4c91a923e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4bf04e6b1c367f4beebeddf4c91a923e.exe
Resource
win10v2004-20231215-en
General
-
Target
4bf04e6b1c367f4beebeddf4c91a923e.exe
-
Size
537KB
-
MD5
4bf04e6b1c367f4beebeddf4c91a923e
-
SHA1
a95b05d787a1627849fee3bbf03ccdbef98260d8
-
SHA256
33df3c9644961a47680d842248dad9e2aedbe9e7344c5499ffe56dd688ebbb9f
-
SHA512
c58218088fbe2a85619a23649e9594f23d3d4d85f2cc961d07b8ef59b1fe7d1fcad8f9dd8364b35e0a4e40cf34d4f8c6155bfde24f038d5d1f121840bc1dc708
-
SSDEEP
12288:DbhRToCzj8Q0L0yVXZKPGFbtmUrHjOYNlY38S/A+3S:DbnTbnyVJKcZZHjTNOXA6S
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 456 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2292 360safe.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\360safe.exe 4bf04e6b1c367f4beebeddf4c91a923e.exe File opened for modification C:\Windows\360safe.exe 4bf04e6b1c367f4beebeddf4c91a923e.exe File created C:\Windows\UNINSTAL.BAT 4bf04e6b1c367f4beebeddf4c91a923e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2152 4bf04e6b1c367f4beebeddf4c91a923e.exe Token: SeDebugPrivilege 2292 360safe.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2292 360safe.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2292 wrote to memory of 3008 2292 360safe.exe 29 PID 2292 wrote to memory of 3008 2292 360safe.exe 29 PID 2292 wrote to memory of 3008 2292 360safe.exe 29 PID 2292 wrote to memory of 3008 2292 360safe.exe 29 PID 2152 wrote to memory of 456 2152 4bf04e6b1c367f4beebeddf4c91a923e.exe 30 PID 2152 wrote to memory of 456 2152 4bf04e6b1c367f4beebeddf4c91a923e.exe 30 PID 2152 wrote to memory of 456 2152 4bf04e6b1c367f4beebeddf4c91a923e.exe 30 PID 2152 wrote to memory of 456 2152 4bf04e6b1c367f4beebeddf4c91a923e.exe 30 PID 2152 wrote to memory of 456 2152 4bf04e6b1c367f4beebeddf4c91a923e.exe 30 PID 2152 wrote to memory of 456 2152 4bf04e6b1c367f4beebeddf4c91a923e.exe 30 PID 2152 wrote to memory of 456 2152 4bf04e6b1c367f4beebeddf4c91a923e.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bf04e6b1c367f4beebeddf4c91a923e.exe"C:\Users\Admin\AppData\Local\Temp\4bf04e6b1c367f4beebeddf4c91a923e.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\UNINSTAL.BAT2⤵
- Deletes itself
PID:456
-
-
C:\Windows\360safe.exeC:\Windows\360safe.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:3008
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
537KB
MD54bf04e6b1c367f4beebeddf4c91a923e
SHA1a95b05d787a1627849fee3bbf03ccdbef98260d8
SHA25633df3c9644961a47680d842248dad9e2aedbe9e7344c5499ffe56dd688ebbb9f
SHA512c58218088fbe2a85619a23649e9594f23d3d4d85f2cc961d07b8ef59b1fe7d1fcad8f9dd8364b35e0a4e40cf34d4f8c6155bfde24f038d5d1f121840bc1dc708
-
Filesize
186B
MD57e0f9d10bfe62f20ababca814960313a
SHA1e5635136c2468c8ae8d40f52f342bc7e2cbde2e9
SHA256c02aff02cbdfb4a35ec29d7ab38a2672f7220f0ac6a722df32d429bdb7577a65
SHA5127768d0a2a824d1ad3c8ec8d4ebd85dea650d56c35b19b046e8d7ee5ebacf05099224817cb846f4f38b0cde91d4512a377b9e4c74cf0a34aa45bdf51ad8a1ca37