Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 15:00
Static task
static1
Behavioral task
behavioral1
Sample
vaultFile11542278852936095360.exe
Resource
win7-20231215-en
General
-
Target
vaultFile11542278852936095360.exe
-
Size
209KB
-
MD5
2c728b8d169a71f995b2b06f70e1949c
-
SHA1
566799671a67ade9ac1319ee9c9526798afd8aeb
-
SHA256
fa679f8844ab283168f56247764b5e44cddd0aad6aea878fb213b80b54d51ce4
-
SHA512
cc07d587e64982232570cb7b7fdc858a449cdb1fc268a0954d69d2a90b4fcf3e73d0c44706d9533d7d4e8d2ad977f06819459711b22604615039b181370af707
-
SSDEEP
3072:p86dHxGNd5E9o7lOCET1NNAhTtaWmZzFfokt+F9EepWL2tI2b3UH8XAwKYEJ:plJ4Nwo7lOpT2hkWGzxU7pBwHSXEJ
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1048 WScript.exe 4 1048 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2640 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2640 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1048 2044 vaultFile11542278852936095360.exe 28 PID 2044 wrote to memory of 1048 2044 vaultFile11542278852936095360.exe 28 PID 2044 wrote to memory of 1048 2044 vaultFile11542278852936095360.exe 28 PID 2044 wrote to memory of 1048 2044 vaultFile11542278852936095360.exe 28 PID 1048 wrote to memory of 2640 1048 WScript.exe 29 PID 1048 wrote to memory of 2640 1048 WScript.exe 29 PID 1048 wrote to memory of 2640 1048 WScript.exe 29 PID 1048 wrote to memory of 2640 1048 WScript.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\vaultFile11542278852936095360.exe"C:\Users\Admin\AppData\Local\Temp\vaultFile11542278852936095360.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /im xmrig.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5406ef562a1ed4e5ae5a3da786511e016
SHA18e440da9b8c0fa43e764854dfd84ac9e622fa82e
SHA25625aac05954d8717268c556f0708c69b6df5279c46f44b05c03308333f8e57cf1
SHA5122cf0ac454119d9ac24e9893796779ee476fe85b30b43d654dce1d7b8241d76431e6d22efd21a31fe6404762bc39cec7ad93549ac93cea225ef82a1d0da5a788e