Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 12:35
Static task
static1
Behavioral task
behavioral1
Sample
509274c5c973b5c330be82845b57663f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
509274c5c973b5c330be82845b57663f.exe
Resource
win10v2004-20231215-en
General
-
Target
509274c5c973b5c330be82845b57663f.exe
-
Size
63KB
-
MD5
509274c5c973b5c330be82845b57663f
-
SHA1
79cff899d88ff8307eeafbda87098f833f42fb8f
-
SHA256
4b02e5922ab65a6bf04702ebf73b4c019227596c06eac51acc0847f8b01e54f6
-
SHA512
22c5fd3d88b9016e5b041ffff25db5f015c4b98043c25a59350506afc92c86500e2efb0b7e2d5d3ed09b011b3f436a48acbb27f8167f7d1113f125ccd762b613
-
SSDEEP
1536:VdryyfYwLQhueIbzRFIj9JdHQWplS7N1DKmxAMNd1D2IobgMW:TrD9LiFOzrIj9DHGh45MNd1KgM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2336 jh.exe -
Loads dropped DLL 2 IoCs
pid Process 1724 509274c5c973b5c330be82845b57663f.exe 1724 509274c5c973b5c330be82845b57663f.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\jh.exe 509274c5c973b5c330be82845b57663f.exe File opened for modification C:\Windows\SysWOW64\jh.exe 509274c5c973b5c330be82845b57663f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
pid Process 2804 taskkill.exe 1988 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2804 taskkill.exe Token: SeDebugPrivilege 1988 taskkill.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2336 1724 509274c5c973b5c330be82845b57663f.exe 28 PID 1724 wrote to memory of 2336 1724 509274c5c973b5c330be82845b57663f.exe 28 PID 1724 wrote to memory of 2336 1724 509274c5c973b5c330be82845b57663f.exe 28 PID 1724 wrote to memory of 2336 1724 509274c5c973b5c330be82845b57663f.exe 28 PID 2336 wrote to memory of 2812 2336 jh.exe 29 PID 2336 wrote to memory of 2812 2336 jh.exe 29 PID 2336 wrote to memory of 2812 2336 jh.exe 29 PID 2336 wrote to memory of 2812 2336 jh.exe 29 PID 2336 wrote to memory of 2124 2336 jh.exe 31 PID 2336 wrote to memory of 2124 2336 jh.exe 31 PID 2336 wrote to memory of 2124 2336 jh.exe 31 PID 2336 wrote to memory of 2124 2336 jh.exe 31 PID 2124 wrote to memory of 2804 2124 cmd.exe 33 PID 2124 wrote to memory of 2804 2124 cmd.exe 33 PID 2124 wrote to memory of 2804 2124 cmd.exe 33 PID 2124 wrote to memory of 2804 2124 cmd.exe 33 PID 2336 wrote to memory of 2296 2336 jh.exe 35 PID 2336 wrote to memory of 2296 2336 jh.exe 35 PID 2336 wrote to memory of 2296 2336 jh.exe 35 PID 2336 wrote to memory of 2296 2336 jh.exe 35 PID 2296 wrote to memory of 1988 2296 cmd.exe 37 PID 2296 wrote to memory of 1988 2296 cmd.exe 37 PID 2296 wrote to memory of 1988 2296 cmd.exe 37 PID 2296 wrote to memory of 1988 2296 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\509274c5c973b5c330be82845b57663f.exe"C:\Users\Admin\AppData\Local\Temp\509274c5c973b5c330be82845b57663f.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\jh.exe"C:\Windows\System32\jh.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\cmd.execmd.exe /c date 1983-10-193⤵PID:2812
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im 360tray.exe /f3⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im 360tray.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im 360safe.exe /f3⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im 360safe.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD523528fd2acbd57565ac391e769f11d0a
SHA13b1479c58db12f3cb60504909e55e6a960851a55
SHA256f28c39eb7ee9be1c9cc5d84d7372ce601424462cebfd3359a2010152fa11abfe
SHA512314ab22347402214b85f87c5fb918ac9b971e3e93fabfcb5aaf0fb8349309bf819145c18af03784d1264a26c9c84142d54cc2cafb7a1ea6c16d1f0a2456cc0b7