Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20/03/2024, 00:37
Static task
static1
Behavioral task
behavioral1
Sample
d779c777a29f9250ff00ecbdc765c4c4.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
d779c777a29f9250ff00ecbdc765c4c4.exe
Resource
win10v2004-20240319-en
General
-
Target
d779c777a29f9250ff00ecbdc765c4c4.exe
-
Size
380KB
-
MD5
d779c777a29f9250ff00ecbdc765c4c4
-
SHA1
8dfec79231cc8dcd8d310aac935eb00f396a2a35
-
SHA256
ecd638f701bf62044f91a3179b4f1381c1195e053e976cdc29b4a89d625f30dd
-
SHA512
b89889227782aec04df8080f2afb7aac3ab6badd1eb8c572df1f12503cc17f6cf931da403e878ac5b8f85daf54ed958952d614fdfe4f1162d51c51540da7fea4
-
SSDEEP
6144:sAoHZ+azbYMVsx/PaRs+4FEUqs6PbcFMRJ8lMuSM+gnktWx9Xxao/Lf:lotoMSPakAPbcgJpMdnwgXxawL
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2176 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2700 dgjtw.exe -
Loads dropped DLL 3 IoCs
pid Process 2176 cmd.exe 2176 cmd.exe 2700 dgjtw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2652 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2656 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2652 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2176 2060 d779c777a29f9250ff00ecbdc765c4c4.exe 28 PID 2060 wrote to memory of 2176 2060 d779c777a29f9250ff00ecbdc765c4c4.exe 28 PID 2060 wrote to memory of 2176 2060 d779c777a29f9250ff00ecbdc765c4c4.exe 28 PID 2060 wrote to memory of 2176 2060 d779c777a29f9250ff00ecbdc765c4c4.exe 28 PID 2176 wrote to memory of 2652 2176 cmd.exe 30 PID 2176 wrote to memory of 2652 2176 cmd.exe 30 PID 2176 wrote to memory of 2652 2176 cmd.exe 30 PID 2176 wrote to memory of 2652 2176 cmd.exe 30 PID 2176 wrote to memory of 2656 2176 cmd.exe 32 PID 2176 wrote to memory of 2656 2176 cmd.exe 32 PID 2176 wrote to memory of 2656 2176 cmd.exe 32 PID 2176 wrote to memory of 2656 2176 cmd.exe 32 PID 2176 wrote to memory of 2700 2176 cmd.exe 33 PID 2176 wrote to memory of 2700 2176 cmd.exe 33 PID 2176 wrote to memory of 2700 2176 cmd.exe 33 PID 2176 wrote to memory of 2700 2176 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d779c777a29f9250ff00ecbdc765c4c4.exe"C:\Users\Admin\AppData\Local\Temp\d779c777a29f9250ff00ecbdc765c4c4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2060 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\d779c777a29f9250ff00ecbdc765c4c4.exe" & start C:\Users\Admin\AppData\Local\dgjtw.exe -f2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid 20603⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
PID:2656
-
-
C:\Users\Admin\AppData\Local\dgjtw.exeC:\Users\Admin\AppData\Local\dgjtw.exe -f3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380KB
MD5d779c777a29f9250ff00ecbdc765c4c4
SHA18dfec79231cc8dcd8d310aac935eb00f396a2a35
SHA256ecd638f701bf62044f91a3179b4f1381c1195e053e976cdc29b4a89d625f30dd
SHA512b89889227782aec04df8080f2afb7aac3ab6badd1eb8c572df1f12503cc17f6cf931da403e878ac5b8f85daf54ed958952d614fdfe4f1162d51c51540da7fea4