Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 18:53
Static task
static1
Behavioral task
behavioral1
Sample
c1599b70e4145735dd29e4ca674619b2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c1599b70e4145735dd29e4ca674619b2.exe
Resource
win10v2004-20240226-en
General
-
Target
c1599b70e4145735dd29e4ca674619b2.exe
-
Size
228KB
-
MD5
c1599b70e4145735dd29e4ca674619b2
-
SHA1
4ef50fe0e43b28d29e59e00a9a06860c1314a1f1
-
SHA256
b2a3e747888965b0379759c9619f8d283678b32fdd0de6f3503a022b57f78d3d
-
SHA512
a6bf37915f297b3ab163a6c4ed3233cbf347bbf16d42bd25c1bbe32f8be4c5c191f7f9dcd5900eaf3f9c6919d21ff1e4bcc2d2ad86c9e1ee0d52d848eea374b1
-
SSDEEP
3072:1c52nLeK1ZmLIgI4TDsvaw3V8n6T+C8dwcEgzlJY8No1LnOIQkioYxiTT3:G52l1ZOZIYDArzPGEgzlJY8Kn0QTT3
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2768 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2356 aszas.exe -
Loads dropped DLL 4 IoCs
pid Process 2768 cmd.exe 2768 cmd.exe 2356 aszas.exe 2356 aszas.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 3020 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2784 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2356 aszas.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3020 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2356 aszas.exe 2356 aszas.exe 2356 aszas.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2356 aszas.exe 2356 aszas.exe 2356 aszas.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2768 3052 c1599b70e4145735dd29e4ca674619b2.exe 28 PID 3052 wrote to memory of 2768 3052 c1599b70e4145735dd29e4ca674619b2.exe 28 PID 3052 wrote to memory of 2768 3052 c1599b70e4145735dd29e4ca674619b2.exe 28 PID 3052 wrote to memory of 2768 3052 c1599b70e4145735dd29e4ca674619b2.exe 28 PID 2768 wrote to memory of 3020 2768 cmd.exe 30 PID 2768 wrote to memory of 3020 2768 cmd.exe 30 PID 2768 wrote to memory of 3020 2768 cmd.exe 30 PID 2768 wrote to memory of 3020 2768 cmd.exe 30 PID 2768 wrote to memory of 2784 2768 cmd.exe 32 PID 2768 wrote to memory of 2784 2768 cmd.exe 32 PID 2768 wrote to memory of 2784 2768 cmd.exe 32 PID 2768 wrote to memory of 2784 2768 cmd.exe 32 PID 2768 wrote to memory of 2356 2768 cmd.exe 33 PID 2768 wrote to memory of 2356 2768 cmd.exe 33 PID 2768 wrote to memory of 2356 2768 cmd.exe 33 PID 2768 wrote to memory of 2356 2768 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1599b70e4145735dd29e4ca674619b2.exe"C:\Users\Admin\AppData\Local\Temp\c1599b70e4145735dd29e4ca674619b2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 3052 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\c1599b70e4145735dd29e4ca674619b2.exe" & start C:\Users\Admin\AppData\Local\aszas.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 30523⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:2784
-
-
C:\Users\Admin\AppData\Local\aszas.exeC:\Users\Admin\AppData\Local\aszas.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2356
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5c1599b70e4145735dd29e4ca674619b2
SHA14ef50fe0e43b28d29e59e00a9a06860c1314a1f1
SHA256b2a3e747888965b0379759c9619f8d283678b32fdd0de6f3503a022b57f78d3d
SHA512a6bf37915f297b3ab163a6c4ed3233cbf347bbf16d42bd25c1bbe32f8be4c5c191f7f9dcd5900eaf3f9c6919d21ff1e4bcc2d2ad86c9e1ee0d52d848eea374b1