Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24/05/2024, 03:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6d44111e1a27a1df71ce130ca5ba1b06_JaffaCakes118.exe
Resource
win7-20240220-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
6d44111e1a27a1df71ce130ca5ba1b06_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
Behavioral task
behavioral3
Sample
beehebjghc.exe
Resource
win7-20240419-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral4
Sample
beehebjghc.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
beehebjghc.exe
-
Size
563KB
-
MD5
65f7a0239113c91ffb312569e0627b08
-
SHA1
4877b661e6fbd5dd96afdf59e0c88cf44d64bf94
-
SHA256
c6da1362f1ae653ded8a65fed7d8b36b73b9e41c1ce01cbb087135053f5b2647
-
SHA512
0eba272c8ccc46ff51509ed642c4794d6d03c782f50482a29c950fa66666950c32d7468959d570e662005b962bc19b355c807754629ae9b5516f24d7748fbfda
-
SSDEEP
12288:cCsn5OejVsQwDgLMUB5vIXbyVxbHFoVlbOzKBztyAH4M:cCyPB+D8MUB5vIXbyVxbHFKl62Bz4AHZ
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2592 2164 WerFault.exe 27 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2384 wmic.exe Token: SeSecurityPrivilege 2384 wmic.exe Token: SeTakeOwnershipPrivilege 2384 wmic.exe Token: SeLoadDriverPrivilege 2384 wmic.exe Token: SeSystemProfilePrivilege 2384 wmic.exe Token: SeSystemtimePrivilege 2384 wmic.exe Token: SeProfSingleProcessPrivilege 2384 wmic.exe Token: SeIncBasePriorityPrivilege 2384 wmic.exe Token: SeCreatePagefilePrivilege 2384 wmic.exe Token: SeBackupPrivilege 2384 wmic.exe Token: SeRestorePrivilege 2384 wmic.exe Token: SeShutdownPrivilege 2384 wmic.exe Token: SeDebugPrivilege 2384 wmic.exe Token: SeSystemEnvironmentPrivilege 2384 wmic.exe Token: SeRemoteShutdownPrivilege 2384 wmic.exe Token: SeUndockPrivilege 2384 wmic.exe Token: SeManageVolumePrivilege 2384 wmic.exe Token: 33 2384 wmic.exe Token: 34 2384 wmic.exe Token: 35 2384 wmic.exe Token: SeIncreaseQuotaPrivilege 2384 wmic.exe Token: SeSecurityPrivilege 2384 wmic.exe Token: SeTakeOwnershipPrivilege 2384 wmic.exe Token: SeLoadDriverPrivilege 2384 wmic.exe Token: SeSystemProfilePrivilege 2384 wmic.exe Token: SeSystemtimePrivilege 2384 wmic.exe Token: SeProfSingleProcessPrivilege 2384 wmic.exe Token: SeIncBasePriorityPrivilege 2384 wmic.exe Token: SeCreatePagefilePrivilege 2384 wmic.exe Token: SeBackupPrivilege 2384 wmic.exe Token: SeRestorePrivilege 2384 wmic.exe Token: SeShutdownPrivilege 2384 wmic.exe Token: SeDebugPrivilege 2384 wmic.exe Token: SeSystemEnvironmentPrivilege 2384 wmic.exe Token: SeRemoteShutdownPrivilege 2384 wmic.exe Token: SeUndockPrivilege 2384 wmic.exe Token: SeManageVolumePrivilege 2384 wmic.exe Token: 33 2384 wmic.exe Token: 34 2384 wmic.exe Token: 35 2384 wmic.exe Token: SeIncreaseQuotaPrivilege 2740 wmic.exe Token: SeSecurityPrivilege 2740 wmic.exe Token: SeTakeOwnershipPrivilege 2740 wmic.exe Token: SeLoadDriverPrivilege 2740 wmic.exe Token: SeSystemProfilePrivilege 2740 wmic.exe Token: SeSystemtimePrivilege 2740 wmic.exe Token: SeProfSingleProcessPrivilege 2740 wmic.exe Token: SeIncBasePriorityPrivilege 2740 wmic.exe Token: SeCreatePagefilePrivilege 2740 wmic.exe Token: SeBackupPrivilege 2740 wmic.exe Token: SeRestorePrivilege 2740 wmic.exe Token: SeShutdownPrivilege 2740 wmic.exe Token: SeDebugPrivilege 2740 wmic.exe Token: SeSystemEnvironmentPrivilege 2740 wmic.exe Token: SeRemoteShutdownPrivilege 2740 wmic.exe Token: SeUndockPrivilege 2740 wmic.exe Token: SeManageVolumePrivilege 2740 wmic.exe Token: 33 2740 wmic.exe Token: 34 2740 wmic.exe Token: 35 2740 wmic.exe Token: SeIncreaseQuotaPrivilege 2940 wmic.exe Token: SeSecurityPrivilege 2940 wmic.exe Token: SeTakeOwnershipPrivilege 2940 wmic.exe Token: SeLoadDriverPrivilege 2940 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2384 2164 beehebjghc.exe 28 PID 2164 wrote to memory of 2384 2164 beehebjghc.exe 28 PID 2164 wrote to memory of 2384 2164 beehebjghc.exe 28 PID 2164 wrote to memory of 2384 2164 beehebjghc.exe 28 PID 2164 wrote to memory of 2740 2164 beehebjghc.exe 31 PID 2164 wrote to memory of 2740 2164 beehebjghc.exe 31 PID 2164 wrote to memory of 2740 2164 beehebjghc.exe 31 PID 2164 wrote to memory of 2740 2164 beehebjghc.exe 31 PID 2164 wrote to memory of 2940 2164 beehebjghc.exe 33 PID 2164 wrote to memory of 2940 2164 beehebjghc.exe 33 PID 2164 wrote to memory of 2940 2164 beehebjghc.exe 33 PID 2164 wrote to memory of 2940 2164 beehebjghc.exe 33 PID 2164 wrote to memory of 2828 2164 beehebjghc.exe 35 PID 2164 wrote to memory of 2828 2164 beehebjghc.exe 35 PID 2164 wrote to memory of 2828 2164 beehebjghc.exe 35 PID 2164 wrote to memory of 2828 2164 beehebjghc.exe 35 PID 2164 wrote to memory of 2560 2164 beehebjghc.exe 37 PID 2164 wrote to memory of 2560 2164 beehebjghc.exe 37 PID 2164 wrote to memory of 2560 2164 beehebjghc.exe 37 PID 2164 wrote to memory of 2560 2164 beehebjghc.exe 37 PID 2164 wrote to memory of 2592 2164 beehebjghc.exe 39 PID 2164 wrote to memory of 2592 2164 beehebjghc.exe 39 PID 2164 wrote to memory of 2592 2164 beehebjghc.exe 39 PID 2164 wrote to memory of 2592 2164 beehebjghc.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\beehebjghc.exe"C:\Users\Admin\AppData\Local\Temp\beehebjghc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716523015.txt bios get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716523015.txt bios get version2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716523015.txt bios get version2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716523015.txt bios get version2⤵PID:2828
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81716523015.txt bios get version2⤵PID:2560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 3722⤵
- Program crash
PID:2592
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51