Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 16:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed47fa9158e4cccda07bb4659da88d06.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
ed47fa9158e4cccda07bb4659da88d06.exe
-
Size
280KB
-
MD5
ed47fa9158e4cccda07bb4659da88d06
-
SHA1
979ba7b632c71d38630ba39a8caeb4a679fc697f
-
SHA256
6f487c7bc1d98eef7c2fda7f1b38f1c199df9308634ecfc9543497cf0f5d3ea6
-
SHA512
a076055a9630f8d0c4ccdb03d1bf6b1f31d2f32e820cf6d427cdbfcf0cbeebb80c141d1b111d17db0b9f7b7275f5c246c00668b0fb3fc45058f4fcdfe3e1a37a
-
SSDEEP
6144:cP+a94On2taJfqn311On0d21IPzoNGFt94hjsAw:Ta94Lt3n311c1IPket9ws
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
5.42.64.56
5.42.65.64
Signatures
-
Deletes itself 1 IoCs
pid Process 3068 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2000 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2000 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2364 wrote to memory of 3068 2364 ed47fa9158e4cccda07bb4659da88d06.exe 28 PID 2364 wrote to memory of 3068 2364 ed47fa9158e4cccda07bb4659da88d06.exe 28 PID 2364 wrote to memory of 3068 2364 ed47fa9158e4cccda07bb4659da88d06.exe 28 PID 2364 wrote to memory of 3068 2364 ed47fa9158e4cccda07bb4659da88d06.exe 28 PID 3068 wrote to memory of 2000 3068 cmd.exe 30 PID 3068 wrote to memory of 2000 3068 cmd.exe 30 PID 3068 wrote to memory of 2000 3068 cmd.exe 30 PID 3068 wrote to memory of 2000 3068 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed47fa9158e4cccda07bb4659da88d06.exe"C:\Users\Admin\AppData\Local\Temp\ed47fa9158e4cccda07bb4659da88d06.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ed47fa9158e4cccda07bb4659da88d06.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ed47fa9158e4cccda07bb4659da88d06.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ed47fa9158e4cccda07bb4659da88d06.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-