Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 10:07
Static task
static1
Behavioral task
behavioral1
Sample
819082240cf061cbb6087df9de5b5740N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
819082240cf061cbb6087df9de5b5740N.exe
Resource
win10v2004-20240709-en
General
-
Target
819082240cf061cbb6087df9de5b5740N.exe
-
Size
51KB
-
MD5
819082240cf061cbb6087df9de5b5740
-
SHA1
fc578b57f3b0d335fc5ac20ece961a4ca1cd6c85
-
SHA256
8a2d96d459c226287efc0350fea606bdeede9a12543e95941fbe5abb47812e73
-
SHA512
2d0989039eb83457c9c7a2cc23b71691fff65eaceba4677448d0fc98699752dc00eec572687c66f530fa31ee1c4b5b3d2447bafbcfa146e1f1c783208f933e5e
-
SSDEEP
768:jvQ5qDLHRdw2iPSMEk/6KxPEMb960yXb8FfbbbPTTTY1111C:jvQoLHjw2iWPKxP7vyX4pbbbPTTTP
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1964 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2516 ayahost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Debug\ayahost.exe 819082240cf061cbb6087df9de5b5740N.exe File opened for modification C:\Windows\Debug\ayahost.exe 819082240cf061cbb6087df9de5b5740N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2380 819082240cf061cbb6087df9de5b5740N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1964 2380 819082240cf061cbb6087df9de5b5740N.exe 31 PID 2380 wrote to memory of 1964 2380 819082240cf061cbb6087df9de5b5740N.exe 31 PID 2380 wrote to memory of 1964 2380 819082240cf061cbb6087df9de5b5740N.exe 31 PID 2380 wrote to memory of 1964 2380 819082240cf061cbb6087df9de5b5740N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\819082240cf061cbb6087df9de5b5740N.exe"C:\Users\Admin\AppData\Local\Temp\819082240cf061cbb6087df9de5b5740N.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\819082~1.EXE > nul2⤵
- Deletes itself
PID:1964
-
-
C:\Windows\Debug\ayahost.exeC:\Windows\Debug\ayahost.exe1⤵
- Executes dropped EXE
PID:2516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5934e4ed17678718d43f99f542e254b99
SHA1357d37e670782393a6f3aa787729e6b9e3a00b08
SHA25658abe8e9237b26afada5226115841d5035f1c252976fe223aa141f079c7bae38
SHA5126f6b7d891a900a0d96763151cd05b86ad12cd7ab8b6629ca0fa1b7bd3e7c2d01dc3b783c6f1e5990ba3858ca79b40b14dfc39c9e7d449986aef17b6669911387