Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 01:23
Static task
static1
Behavioral task
behavioral1
Sample
641cd01e7405ae9fea7ab07cd90d7e92.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
641cd01e7405ae9fea7ab07cd90d7e92.exe
Resource
win10v2004-20231215-en
General
-
Target
641cd01e7405ae9fea7ab07cd90d7e92.exe
-
Size
593KB
-
MD5
641cd01e7405ae9fea7ab07cd90d7e92
-
SHA1
3eb0d97da4b62692ceca9ea7045ed3cc8356ecdf
-
SHA256
67ede6407855ec22985a843b52f5d5ad8169aafc396606f742029bf05d10233f
-
SHA512
b4d77a5d7c86b6c59cb704e2258d6acd7711b60f6b06d64b78ba4fd8cbe4e3c4a6c60ea92130490f5ee1b25cc5f587bce0e93ba12be6782653e1e784d07ea33b
-
SSDEEP
12288:xH6kPIA9mR9jXZkTMxRACxFF3Z4mxxtRvz2JG0/BY:xHNB9mRRpk4xWCHQmXtgJG0/G
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2580 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2740 Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe 641cd01e7405ae9fea7ab07cd90d7e92.exe File opened for modification C:\Windows\Hacker.com.cn.exe 641cd01e7405ae9fea7ab07cd90d7e92.exe File created C:\Windows\uninstal.bat 641cd01e7405ae9fea7ab07cd90d7e92.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2092 641cd01e7405ae9fea7ab07cd90d7e92.exe Token: SeDebugPrivilege 2740 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2740 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2580 2092 641cd01e7405ae9fea7ab07cd90d7e92.exe 30 PID 2092 wrote to memory of 2580 2092 641cd01e7405ae9fea7ab07cd90d7e92.exe 30 PID 2092 wrote to memory of 2580 2092 641cd01e7405ae9fea7ab07cd90d7e92.exe 30 PID 2092 wrote to memory of 2580 2092 641cd01e7405ae9fea7ab07cd90d7e92.exe 30 PID 2092 wrote to memory of 2580 2092 641cd01e7405ae9fea7ab07cd90d7e92.exe 30 PID 2092 wrote to memory of 2580 2092 641cd01e7405ae9fea7ab07cd90d7e92.exe 30 PID 2092 wrote to memory of 2580 2092 641cd01e7405ae9fea7ab07cd90d7e92.exe 30 PID 2740 wrote to memory of 2464 2740 Hacker.com.cn.exe 29 PID 2740 wrote to memory of 2464 2740 Hacker.com.cn.exe 29 PID 2740 wrote to memory of 2464 2740 Hacker.com.cn.exe 29 PID 2740 wrote to memory of 2464 2740 Hacker.com.cn.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\641cd01e7405ae9fea7ab07cd90d7e92.exe"C:\Users\Admin\AppData\Local\Temp\641cd01e7405ae9fea7ab07cd90d7e92.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat2⤵
- Deletes itself
PID:2580
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2464
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
267KB
MD52cd6515d158d87c363b0ffa29e3b9b2a
SHA10c6516d8ae0ebaefa9c6ed430e8d2ff7676f0b3c
SHA256d2a8026d0747ba46e93ff08724a90254cd245ff00600e25901dfb59041979eae
SHA51247744f0246eca7f1d0c4e49965773107084911a0b124ad16db681b659dfae7b957c469ce08455378f81c805baa6661e33749a91df971a2294b63b5a526e8709b
-
Filesize
205KB
MD5bb740e73f1b9186cc2e9a5e298bbc136
SHA17f23ca3bcfb0d6711247abcada6861e5d406e6c3
SHA256a728c514cd12031ab7933f52241ca94dc82489857e57a8f75e0776c2cf7c513f
SHA512d404c39cff4ae97ab4ae3a30d6a1dadc0400ed91dc11345df7c760c1fb3ebd480d7115e5857177ccabe47e4f89ecd053f216d3f0c2a0b9996d59da3249d24056
-
Filesize
190B
MD509cc8a879facab99fcec5aab71cac9b5
SHA11296068e439a723274cc816a81f5af47c1987401
SHA2566640aa359a1049ceda71efb7db48842866f1a9199128f37e17e16fc840ccffba
SHA512e99ff744bef58f2d0b0403e335c7d917cf7eedda6c8b5e39483b67410a84247c6440f9e3621c8bf31e958b1e457310032c674b58382667fc59545695f4b94058