Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12/01/2024, 14:31
Static task
static1
Behavioral task
behavioral1
Sample
56b7e7de97ef53a4fe73892c9dac41ca.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
56b7e7de97ef53a4fe73892c9dac41ca.exe
Resource
win10v2004-20231215-en
General
-
Target
56b7e7de97ef53a4fe73892c9dac41ca.exe
-
Size
24KB
-
MD5
56b7e7de97ef53a4fe73892c9dac41ca
-
SHA1
9e2ab768d86c6f686b0f0400e3bc466b2f734139
-
SHA256
090523d3815f51c23ffcbb5a6dd7d48ca3933a5862c1a9c6f49572b0751443f7
-
SHA512
8ad6cb7aa039088628a9717291f7f9f37af813c5786599a1fd552be8d10a6b48b05eab8991bbeeb9e2c6629ddc5b42f26962c52efce063676a2d5a1eee4d0ff6
-
SSDEEP
384:E3eVES+/xwGkRKJ2qKNSlM61qmTTMVF9/q5lCzJ0:bGS+ZfbJuNSO8qYoA/
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 56b7e7de97ef53a4fe73892c9dac41ca.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 56b7e7de97ef53a4fe73892c9dac41ca.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2688 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2672 ipconfig.exe 2856 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2688 tasklist.exe Token: SeDebugPrivilege 2856 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2404 56b7e7de97ef53a4fe73892c9dac41ca.exe 2404 56b7e7de97ef53a4fe73892c9dac41ca.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2224 2404 56b7e7de97ef53a4fe73892c9dac41ca.exe 16 PID 2404 wrote to memory of 2224 2404 56b7e7de97ef53a4fe73892c9dac41ca.exe 16 PID 2404 wrote to memory of 2224 2404 56b7e7de97ef53a4fe73892c9dac41ca.exe 16 PID 2404 wrote to memory of 2224 2404 56b7e7de97ef53a4fe73892c9dac41ca.exe 16 PID 2224 wrote to memory of 3020 2224 cmd.exe 23 PID 2224 wrote to memory of 3020 2224 cmd.exe 23 PID 2224 wrote to memory of 3020 2224 cmd.exe 23 PID 2224 wrote to memory of 3020 2224 cmd.exe 23 PID 2224 wrote to memory of 2672 2224 cmd.exe 17 PID 2224 wrote to memory of 2672 2224 cmd.exe 17 PID 2224 wrote to memory of 2672 2224 cmd.exe 17 PID 2224 wrote to memory of 2672 2224 cmd.exe 17 PID 2224 wrote to memory of 2688 2224 cmd.exe 18 PID 2224 wrote to memory of 2688 2224 cmd.exe 18 PID 2224 wrote to memory of 2688 2224 cmd.exe 18 PID 2224 wrote to memory of 2688 2224 cmd.exe 18 PID 2224 wrote to memory of 2784 2224 cmd.exe 22 PID 2224 wrote to memory of 2784 2224 cmd.exe 22 PID 2224 wrote to memory of 2784 2224 cmd.exe 22 PID 2224 wrote to memory of 2784 2224 cmd.exe 22 PID 2784 wrote to memory of 2536 2784 net.exe 20 PID 2784 wrote to memory of 2536 2784 net.exe 20 PID 2784 wrote to memory of 2536 2784 net.exe 20 PID 2784 wrote to memory of 2536 2784 net.exe 20 PID 2224 wrote to memory of 2856 2224 cmd.exe 21 PID 2224 wrote to memory of 2856 2224 cmd.exe 21 PID 2224 wrote to memory of 2856 2224 cmd.exe 21 PID 2224 wrote to memory of 2856 2224 cmd.exe 21
Processes
-
C:\Users\Admin\AppData\Local\Temp\56b7e7de97ef53a4fe73892c9dac41ca.exe"C:\Users\Admin\AppData\Local\Temp\56b7e7de97ef53a4fe73892c9dac41ca.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2672
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2784
-
-
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:3020
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start1⤵PID:2536