Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/01/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
73a44083556179e076af633a2757f64b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
73a44083556179e076af633a2757f64b.exe
Resource
win10v2004-20231215-en
General
-
Target
73a44083556179e076af633a2757f64b.exe
-
Size
24KB
-
MD5
73a44083556179e076af633a2757f64b
-
SHA1
72dafd10ebee7ff1b1032eeb7f5e323fa5dce43b
-
SHA256
419388bc816bfec26d8c45b2fca1788ae6d883ded974eb8a89200a7ffad6fe5c
-
SHA512
ccdf1123bd2ab1b732e79ce4307bcd9bf8ceb84108b8348c6d2195e86c5260e469b380228eccef4b08bc1cbb15adfa734c2c7fcbb5478dc3c20c193219dc05b2
-
SSDEEP
384:E3eVES+/xwGkRKJTwLwlM61qmTTMVF9/q5M0:bGS+ZfbJTwLwO8qYoAd
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" 73a44083556179e076af633a2757f64b.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe 73a44083556179e076af633a2757f64b.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2832 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2308 ipconfig.exe 2780 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2832 tasklist.exe Token: SeDebugPrivilege 2780 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 808 73a44083556179e076af633a2757f64b.exe 808 73a44083556179e076af633a2757f64b.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 808 wrote to memory of 1716 808 73a44083556179e076af633a2757f64b.exe 28 PID 808 wrote to memory of 1716 808 73a44083556179e076af633a2757f64b.exe 28 PID 808 wrote to memory of 1716 808 73a44083556179e076af633a2757f64b.exe 28 PID 808 wrote to memory of 1716 808 73a44083556179e076af633a2757f64b.exe 28 PID 1716 wrote to memory of 2660 1716 cmd.exe 30 PID 1716 wrote to memory of 2660 1716 cmd.exe 30 PID 1716 wrote to memory of 2660 1716 cmd.exe 30 PID 1716 wrote to memory of 2660 1716 cmd.exe 30 PID 1716 wrote to memory of 2308 1716 cmd.exe 31 PID 1716 wrote to memory of 2308 1716 cmd.exe 31 PID 1716 wrote to memory of 2308 1716 cmd.exe 31 PID 1716 wrote to memory of 2308 1716 cmd.exe 31 PID 1716 wrote to memory of 2832 1716 cmd.exe 32 PID 1716 wrote to memory of 2832 1716 cmd.exe 32 PID 1716 wrote to memory of 2832 1716 cmd.exe 32 PID 1716 wrote to memory of 2832 1716 cmd.exe 32 PID 1716 wrote to memory of 2092 1716 cmd.exe 34 PID 1716 wrote to memory of 2092 1716 cmd.exe 34 PID 1716 wrote to memory of 2092 1716 cmd.exe 34 PID 1716 wrote to memory of 2092 1716 cmd.exe 34 PID 2092 wrote to memory of 2928 2092 net.exe 35 PID 2092 wrote to memory of 2928 2092 net.exe 35 PID 2092 wrote to memory of 2928 2092 net.exe 35 PID 2092 wrote to memory of 2928 2092 net.exe 35 PID 1716 wrote to memory of 2780 1716 cmd.exe 36 PID 1716 wrote to memory of 2780 1716 cmd.exe 36 PID 1716 wrote to memory of 2780 1716 cmd.exe 36 PID 1716 wrote to memory of 2780 1716 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\73a44083556179e076af633a2757f64b.exe"C:\Users\Admin\AppData\Local\Temp\73a44083556179e076af633a2757f64b.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2660
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2308
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:2928
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD56f67e872b169372375605d41f587fc42
SHA15802863a6f74a683c9633ef08bdebd241321b5f7
SHA256156e7424079c2b24eee2d9edd15158ee7f259777f03c5e1c8be84bb86c0be5bb
SHA512c19e2d7a6ac84f99561b4c37d5f0ca532e655761c87c931be4362dbe42818bc1e2e92a8c7fe9d990515ae2cb56b8313e4928477f93edbb55094084595016b888