Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe
Resource
win7-20240319-en
General
-
Target
c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe
-
Size
224KB
-
MD5
9ae3d8ba1311af690523aeb2e69bb469
-
SHA1
1357dbf294817122b1e193762fb3d66a5d73e651
-
SHA256
c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a
-
SHA512
039c76556071c1d1e86fd344f671a6ff76eea067a18b8b90d9cb1c6334bd63e64a9bf19846daf2f1e5006b331f641d65162d946c85ee0e37c510ac52c5973f61
-
SSDEEP
3072:swA6vA1Cs1gm6LL0hX+t4cD1/JiwiX9nyntWyj5KLHXd6Buo3:i1Csam6LohX+t1yX9nMm3dpo
Malware Config
Signatures
-
SaintBot payload 2 IoCs
resource yara_rule behavioral1/memory/2516-10-0x0000000000220000-0x0000000000229000-memory.dmp family_saintbot behavioral1/memory/2516-9-0x0000000000400000-0x0000000002BA9000-memory.dmp family_saintbot -
Deletes itself 1 IoCs
pid Process 1712 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2748 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2516 wrote to memory of 1712 2516 c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe 28 PID 2516 wrote to memory of 1712 2516 c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe 28 PID 2516 wrote to memory of 1712 2516 c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe 28 PID 2516 wrote to memory of 1712 2516 c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe 28 PID 1712 wrote to memory of 2748 1712 cmd.exe 30 PID 1712 wrote to memory of 2748 1712 cmd.exe 30 PID 1712 wrote to memory of 2748 1712 cmd.exe 30 PID 1712 wrote to memory of 2748 1712 cmd.exe 30 PID 1712 wrote to memory of 2116 1712 cmd.exe 31 PID 1712 wrote to memory of 2116 1712 cmd.exe 31 PID 1712 wrote to memory of 2116 1712 cmd.exe 31 PID 1712 wrote to memory of 2116 1712 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe"C:\Users\Admin\AppData\Local\Temp\c33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\del.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 33⤵
- Runs ping.exe
PID:2748
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"3⤵PID:2116
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170B
MD50ebcfb3a61bb857a39f579a83208200b
SHA1f6382065a69a8a53e0c27ed640707ebdf1bc93b4
SHA256571e6efcdbc6bd8a64945982408a38d17c55ac780b58620487b919615edc3a09
SHA512fc5eebcbe88c90d34eb4f124b33351a6d172d62a30ee692447f6d0b8ec9d0a62cca03db6c748bf8e95a5e05c8ec478127d1ac6423df807cb0a2183351912243b