Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 10:11
Static task
static1
Behavioral task
behavioral1
Sample
1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe
Resource
win10v2004-20240508-en
General
-
Target
1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe
-
Size
6.4MB
-
MD5
222ae73510057464ddf4c399d299bacb
-
SHA1
dfe08f92d5cf7eb946ee8b6ee59fc9a4d4c234be
-
SHA256
1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52
-
SHA512
c5c968602312e27e74edd2963e47307824566bd7f55e7f801dacfd4db975a80f02378e6a2b1dd721670d74726e84d454e3b742f200a08b72233bb8565e95044e
-
SSDEEP
98304:abPYi4+r4ubGpQT7hdBjEVHE7OBP0MftJBAUZLq:W4A4RQOBMMlJV2
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1980 1320 WerFault.exe 27 -
Kills process with taskkill 3 IoCs
pid Process 2620 taskkill.exe 2884 taskkill.exe 1632 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2620 taskkill.exe Token: SeDebugPrivilege 2884 taskkill.exe Token: SeDebugPrivilege 1632 taskkill.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1320 wrote to memory of 2628 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe 29 PID 1320 wrote to memory of 2628 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe 29 PID 1320 wrote to memory of 2628 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe 29 PID 1320 wrote to memory of 2628 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe 29 PID 2628 wrote to memory of 2620 2628 cmd.exe 31 PID 2628 wrote to memory of 2620 2628 cmd.exe 31 PID 2628 wrote to memory of 2620 2628 cmd.exe 31 PID 2628 wrote to memory of 2620 2628 cmd.exe 31 PID 1320 wrote to memory of 2872 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe 33 PID 1320 wrote to memory of 2872 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe 33 PID 1320 wrote to memory of 2872 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe 33 PID 1320 wrote to memory of 2872 1320 1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe 33 PID 2872 wrote to memory of 2884 2872 cmd.exe 35 PID 2872 wrote to memory of 2884 2872 cmd.exe 35 PID 2872 wrote to memory of 2884 2872 cmd.exe 35 PID 2872 wrote to memory of 2884 2872 cmd.exe 35 PID 2872 wrote to memory of 1632 2872 cmd.exe 36 PID 2872 wrote to memory of 1632 2872 cmd.exe 36 PID 2872 wrote to memory of 1632 2872 cmd.exe 36 PID 2872 wrote to memory of 1632 2872 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe"C:\Users\Admin\AppData\Local\Temp\1f68f87b6dd86ca34d769c0ba74d97c0b2ba868198a7d632070d24b585f25f52.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\\restart.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ╢╢═├═├.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\\restart.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\taskkill.exeTaskkill /f /im ╢╢═├═├.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Windows\SysWOW64\taskkill.exeTaskkill /f /im .cache_╢╢═├═├.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 2962⤵
- Program crash
PID:1980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD56789c01ef17152224e1dadce89ebc364
SHA11a72865012ad8cfeba5a391ad046339a44fc9a57
SHA2565b4f8879fa51c430abaaa94094fe82e22c0912881f961219d9b0805446a09412
SHA5125b4de797295e23a1e8934c551375ebb1335a3dcdd7ad8e0c7baeb0fc2fe2f7d41bcd75b8f40cbb6943a098001ee076f4acd05005559d98c286fce7535b6974d6
-
Filesize
145B
MD596785a2f7e2fa7a92132cb9843b7b1cd
SHA1b677d2d5a7b8c28850d15ca2c184b71b8eb6d651
SHA2561c7838fe63f9564636489704d817fa44a034d9487adc54f400f056c06bacaaed
SHA512ec789081a28c4e5529ae0bb15fd8e1426e8bd46ea970be689e6f42ca2181ad702b1029c6c4ca7d2ecd23217170281ac0a245ac96b472919d22c8d3574dca2dae
-
Filesize
2.1MB
MD504869ada712c189caba4822be0e81ea5
SHA19c45486b30e6d3ccf0737c5766796baaf58232ab
SHA25623078015adb0cf53ebf632a895a1a224b3718174e6c2887e1bbb2d28be5e2b8b
SHA51216f98af15583c60da0cb947ea2230f759bfa27f86ef93ef5f7ffe2adcec6c5f115f52ffa74bae6cf8add94bb6a380fa276f391619256be7a45c53bb7421fdd9c