Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 13:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe
-
Size
311KB
-
MD5
9544821ed3db4db3c54f0d795bbc1ab6
-
SHA1
3dd2d16955d4e6db85051e9f368407a9d9b6870e
-
SHA256
151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a
-
SHA512
949cdade7a42a649f9daa2fd2940bf01c5bb4670e1bb3e7773fa76872da0ea1858009d6ee0f479638e8f3ee178d86d61b4750f61f768fdc0914f0994e68f6304
-
SSDEEP
6144:7f4ZKa9IPz9hmiXK8+JjdYX+VpU/UB9Xi:r4gKIPz7mid+Jj6X+YcL
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
5.42.65.115
Signatures
-
Deletes itself 1 IoCs
pid Process 2976 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2532 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2532 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2976 2100 151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe 28 PID 2100 wrote to memory of 2976 2100 151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe 28 PID 2100 wrote to memory of 2976 2100 151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe 28 PID 2100 wrote to memory of 2976 2100 151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe 28 PID 2976 wrote to memory of 2532 2976 cmd.exe 31 PID 2976 wrote to memory of 2532 2976 cmd.exe 31 PID 2976 wrote to memory of 2532 2976 cmd.exe 31 PID 2976 wrote to memory of 2532 2976 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe"C:\Users\Admin\AppData\Local\Temp\151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-