Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10/01/2024, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
50a456af5652c967f961a64cf3575cea.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
50a456af5652c967f961a64cf3575cea.exe
Resource
win10v2004-20231215-en
General
-
Target
50a456af5652c967f961a64cf3575cea.exe
-
Size
212KB
-
MD5
50a456af5652c967f961a64cf3575cea
-
SHA1
4d04414c7a3aa8ed11914983b9db386a784cb286
-
SHA256
e5e6dda576bbe9d03c05cef4f9858a772dd7fb183d62720ad694397ec33176eb
-
SHA512
217b2642f9d5d8a5af818c9d1e5805ba439c8ddeef467152ed99c5d62548fe5f229713842d3c72ea417c4f9cc58baac9368995ac0f2c6bec49280c8012904504
-
SSDEEP
3072:13TzXu32JVDHa94mHkIu8aauuuoQOzaKZEUHCRix3qO43F/oNO:13PXu3WITV9aaE0aKZhrxm/oNO
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2512 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2660 qhjwfvjd.exe -
Loads dropped DLL 4 IoCs
pid Process 2512 cmd.exe 2512 cmd.exe 2660 qhjwfvjd.exe 2660 qhjwfvjd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2732 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2740 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2660 qhjwfvjd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2732 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2660 qhjwfvjd.exe 2660 qhjwfvjd.exe 2660 qhjwfvjd.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2660 qhjwfvjd.exe 2660 qhjwfvjd.exe 2660 qhjwfvjd.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 852 wrote to memory of 2512 852 50a456af5652c967f961a64cf3575cea.exe 28 PID 852 wrote to memory of 2512 852 50a456af5652c967f961a64cf3575cea.exe 28 PID 852 wrote to memory of 2512 852 50a456af5652c967f961a64cf3575cea.exe 28 PID 852 wrote to memory of 2512 852 50a456af5652c967f961a64cf3575cea.exe 28 PID 2512 wrote to memory of 2732 2512 cmd.exe 30 PID 2512 wrote to memory of 2732 2512 cmd.exe 30 PID 2512 wrote to memory of 2732 2512 cmd.exe 30 PID 2512 wrote to memory of 2732 2512 cmd.exe 30 PID 2512 wrote to memory of 2740 2512 cmd.exe 32 PID 2512 wrote to memory of 2740 2512 cmd.exe 32 PID 2512 wrote to memory of 2740 2512 cmd.exe 32 PID 2512 wrote to memory of 2740 2512 cmd.exe 32 PID 2512 wrote to memory of 2660 2512 cmd.exe 33 PID 2512 wrote to memory of 2660 2512 cmd.exe 33 PID 2512 wrote to memory of 2660 2512 cmd.exe 33 PID 2512 wrote to memory of 2660 2512 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\50a456af5652c967f961a64cf3575cea.exe"C:\Users\Admin\AppData\Local\Temp\50a456af5652c967f961a64cf3575cea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 852 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\50a456af5652c967f961a64cf3575cea.exe" & start C:\Users\Admin\AppData\Local\qhjwfvjd.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 8523⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:2740
-
-
C:\Users\Admin\AppData\Local\qhjwfvjd.exeC:\Users\Admin\AppData\Local\qhjwfvjd.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD550a456af5652c967f961a64cf3575cea
SHA14d04414c7a3aa8ed11914983b9db386a784cb286
SHA256e5e6dda576bbe9d03c05cef4f9858a772dd7fb183d62720ad694397ec33176eb
SHA512217b2642f9d5d8a5af818c9d1e5805ba439c8ddeef467152ed99c5d62548fe5f229713842d3c72ea417c4f9cc58baac9368995ac0f2c6bec49280c8012904504