Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 14:06
Static task
static1
Behavioral task
behavioral1
Sample
cb99b97464bc521a09aaf995875e6d6b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cb99b97464bc521a09aaf995875e6d6b.exe
Resource
win10v2004-20231215-en
General
-
Target
cb99b97464bc521a09aaf995875e6d6b.exe
-
Size
24KB
-
MD5
cb99b97464bc521a09aaf995875e6d6b
-
SHA1
e2ebbc32a8a257cddfe92054132becb6d40815bb
-
SHA256
3e84365f940e104ccd43d1ad7f5955c7f0b7a73e9e52c86ed91ef7666034db04
-
SHA512
86aa385da1b5234071d0119b1d34f4aa3686d75f76bad312f9c6e573a3e5cf784210d77062fc485c8215ff06458a3399e861d17bcfb7072f77c5a95ffc9ccda1
-
SSDEEP
384:E3eVES+/xwGkRKJ/olM61qmTTMVF9/q5qDG0:bGS+ZfbJ/oO8qYoAGv
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" cb99b97464bc521a09aaf995875e6d6b.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe cb99b97464bc521a09aaf995875e6d6b.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2252 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2872 ipconfig.exe 2392 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2252 tasklist.exe Token: SeDebugPrivilege 2392 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2992 cb99b97464bc521a09aaf995875e6d6b.exe 2992 cb99b97464bc521a09aaf995875e6d6b.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2992 wrote to memory of 1628 2992 cb99b97464bc521a09aaf995875e6d6b.exe 28 PID 2992 wrote to memory of 1628 2992 cb99b97464bc521a09aaf995875e6d6b.exe 28 PID 2992 wrote to memory of 1628 2992 cb99b97464bc521a09aaf995875e6d6b.exe 28 PID 2992 wrote to memory of 1628 2992 cb99b97464bc521a09aaf995875e6d6b.exe 28 PID 1628 wrote to memory of 2564 1628 cmd.exe 30 PID 1628 wrote to memory of 2564 1628 cmd.exe 30 PID 1628 wrote to memory of 2564 1628 cmd.exe 30 PID 1628 wrote to memory of 2564 1628 cmd.exe 30 PID 1628 wrote to memory of 2872 1628 cmd.exe 31 PID 1628 wrote to memory of 2872 1628 cmd.exe 31 PID 1628 wrote to memory of 2872 1628 cmd.exe 31 PID 1628 wrote to memory of 2872 1628 cmd.exe 31 PID 1628 wrote to memory of 2252 1628 cmd.exe 32 PID 1628 wrote to memory of 2252 1628 cmd.exe 32 PID 1628 wrote to memory of 2252 1628 cmd.exe 32 PID 1628 wrote to memory of 2252 1628 cmd.exe 32 PID 1628 wrote to memory of 2648 1628 cmd.exe 34 PID 1628 wrote to memory of 2648 1628 cmd.exe 34 PID 1628 wrote to memory of 2648 1628 cmd.exe 34 PID 1628 wrote to memory of 2648 1628 cmd.exe 34 PID 2648 wrote to memory of 2632 2648 net.exe 35 PID 2648 wrote to memory of 2632 2648 net.exe 35 PID 2648 wrote to memory of 2632 2648 net.exe 35 PID 2648 wrote to memory of 2632 2648 net.exe 35 PID 1628 wrote to memory of 2392 1628 cmd.exe 36 PID 1628 wrote to memory of 2392 1628 cmd.exe 36 PID 1628 wrote to memory of 2392 1628 cmd.exe 36 PID 1628 wrote to memory of 2392 1628 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb99b97464bc521a09aaf995875e6d6b.exe"C:\Users\Admin\AppData\Local\Temp\cb99b97464bc521a09aaf995875e6d6b.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2564
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2872
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:2632
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD568a30a6a17bbc4bdd75379b8925775ad
SHA1799995acb5ddcecf84f1c78aebfbe0921e3ab867
SHA256577551ca7a1971d733cc3f8c7500e41f5b9f49d2293ea83da2b37c99ae93bda9
SHA5122307095973745f6b05860295f32bfd96a0692b2c2702d50ed9a8f0c0c963f9e1c871dac39a8086bcbafa14085b757a600f56e634ebaad2a6620f43b16fa31d3e