Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 20:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e013ac40154bab49a968752725a6792d.exe
Resource
win7-20240221-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
e013ac40154bab49a968752725a6792d.exe
Resource
win10v2004-20231215-en
4 signatures
150 seconds
General
-
Target
e013ac40154bab49a968752725a6792d.exe
-
Size
488KB
-
MD5
e013ac40154bab49a968752725a6792d
-
SHA1
b021d807b90cb09a54fe00412f7aed34e399adf8
-
SHA256
a074a11d13579bae87811730c14f7a9e44db5cc84b05a68b08f9d4591464f91e
-
SHA512
8dd4e0129595e7f85c467f2d0ddf30bf67b716e55266ec149af696b7dee354931f0ef47b0c94356533167f9698001cd3858a194f6879b4a50a17dc4b23639c86
-
SSDEEP
12288:FytbV3kSoXaLnTosl7hMgcreHLwnjBhu8jAqs5:Eb5kSYaLTVlnHLwnNLEqU
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1072 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2592 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1212 e013ac40154bab49a968752725a6792d.exe 1212 e013ac40154bab49a968752725a6792d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1212 e013ac40154bab49a968752725a6792d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1072 1212 e013ac40154bab49a968752725a6792d.exe 28 PID 1212 wrote to memory of 1072 1212 e013ac40154bab49a968752725a6792d.exe 28 PID 1212 wrote to memory of 1072 1212 e013ac40154bab49a968752725a6792d.exe 28 PID 1072 wrote to memory of 2592 1072 cmd.exe 30 PID 1072 wrote to memory of 2592 1072 cmd.exe 30 PID 1072 wrote to memory of 2592 1072 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e013ac40154bab49a968752725a6792d.exe"C:\Users\Admin\AppData\Local\Temp\e013ac40154bab49a968752725a6792d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 6000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e013ac40154bab49a968752725a6792d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 60003⤵
- Runs ping.exe
PID:2592
-
-