Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 03:52
Static task
static1
Behavioral task
behavioral1
Sample
4d43d16f407494f3317b8a9a68099791.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4d43d16f407494f3317b8a9a68099791.exe
Resource
win10v2004-20231215-en
General
-
Target
4d43d16f407494f3317b8a9a68099791.exe
-
Size
13KB
-
MD5
4d43d16f407494f3317b8a9a68099791
-
SHA1
8e61c2caa7e326322bf586d06279029530b7605c
-
SHA256
ad0e0b34dd57250d9c86792e82b49ed1598421c83ead2707a475df200f0b60f6
-
SHA512
a4a6cbab172299b09ebc67d3e19bc1274d58f29ddca400d2fc26a9be849d2de45c9694e309da319c12dd2c4503cba5572cd4ca782227e5127681dacda552e4c1
-
SSDEEP
384:EngFSX3fyNa1J+29+scOjvq0sYNoaO+3OE:EwSX3fn+2+sc2i/YNo0+E
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2672 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2620 4d43d16f407494f3317b8a9a68099791.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\4d43d16f407494f3317b8a9a68099791.exe 4d43d16f407494f3317b8a9a68099791.exe File created C:\Windows\SysWOW64\4d43d16f407494f3317b8a9a68099791.exe 4d43d16f407494f3317b8a9a68099791.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2832 4d43d16f407494f3317b8a9a68099791.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2832 wrote to memory of 2672 2832 4d43d16f407494f3317b8a9a68099791.exe 28 PID 2832 wrote to memory of 2672 2832 4d43d16f407494f3317b8a9a68099791.exe 28 PID 2832 wrote to memory of 2672 2832 4d43d16f407494f3317b8a9a68099791.exe 28 PID 2832 wrote to memory of 2672 2832 4d43d16f407494f3317b8a9a68099791.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d43d16f407494f3317b8a9a68099791.exe"C:\Users\Admin\AppData\Local\Temp\4d43d16f407494f3317b8a9a68099791.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4D43D1~1.EXE > nul2⤵
- Deletes itself
PID:2672
-
-
C:\Windows\SysWOW64\4d43d16f407494f3317b8a9a68099791.exeC:\Windows\SysWOW64\4d43d16f407494f3317b8a9a68099791.exe1⤵
- Executes dropped EXE
PID:2620
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD54d43d16f407494f3317b8a9a68099791
SHA18e61c2caa7e326322bf586d06279029530b7605c
SHA256ad0e0b34dd57250d9c86792e82b49ed1598421c83ead2707a475df200f0b60f6
SHA512a4a6cbab172299b09ebc67d3e19bc1274d58f29ddca400d2fc26a9be849d2de45c9694e309da319c12dd2c4503cba5572cd4ca782227e5127681dacda552e4c1