Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
11s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 17:21
Static task
static1
Behavioral task
behavioral1
Sample
0506f2c306f1eb3760e3931573bda550N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0506f2c306f1eb3760e3931573bda550N.exe
Resource
win10v2004-20240709-en
General
-
Target
0506f2c306f1eb3760e3931573bda550N.exe
-
Size
208KB
-
MD5
0506f2c306f1eb3760e3931573bda550
-
SHA1
f16af8370c4ee038d839b5dbe7baaa61edc3d8bb
-
SHA256
81b02e400c3f13cf7a0d225fb7606239cef329fbf78adb9050b25ce36f6356f1
-
SHA512
dcc95e89c9df99376a3a5186642fb7072a0173c8995151ab31a30a4f7c5cd374effd969b73ce09be209f17eeaa0370b468d128eaac8b40e9e905bda7d9588ba3
-
SSDEEP
6144:7AS6gyCdizgZu8u/yVfkbf+efjnnuI66RNQEj:7A9CdizgZu8u/b7+efjnnu16RNQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2808 OKPY.exe -
Loads dropped DLL 2 IoCs
pid Process 2812 cmd.exe 2812 cmd.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\windows\SysWOW64\OKPY.exe 0506f2c306f1eb3760e3931573bda550N.exe File opened for modification C:\windows\SysWOW64\OKPY.exe 0506f2c306f1eb3760e3931573bda550N.exe File created C:\windows\SysWOW64\OKPY.exe.bat 0506f2c306f1eb3760e3931573bda550N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2796 0506f2c306f1eb3760e3931573bda550N.exe 2808 OKPY.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2796 0506f2c306f1eb3760e3931573bda550N.exe 2796 0506f2c306f1eb3760e3931573bda550N.exe 2808 OKPY.exe 2808 OKPY.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2796 wrote to memory of 2812 2796 0506f2c306f1eb3760e3931573bda550N.exe 29 PID 2796 wrote to memory of 2812 2796 0506f2c306f1eb3760e3931573bda550N.exe 29 PID 2796 wrote to memory of 2812 2796 0506f2c306f1eb3760e3931573bda550N.exe 29 PID 2796 wrote to memory of 2812 2796 0506f2c306f1eb3760e3931573bda550N.exe 29 PID 2812 wrote to memory of 2808 2812 cmd.exe 31 PID 2812 wrote to memory of 2808 2812 cmd.exe 31 PID 2812 wrote to memory of 2808 2812 cmd.exe 31 PID 2812 wrote to memory of 2808 2812 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0506f2c306f1eb3760e3931573bda550N.exe"C:\Users\Admin\AppData\Local\Temp\0506f2c306f1eb3760e3931573bda550N.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\OKPY.exe.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\windows\SysWOW64\OKPY.exeC:\windows\system32\OKPY.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72B
MD572e573dbbc7d9490f554451d4d8b2299
SHA186afc265700806156546f0f41bb2104a269fd316
SHA25618cc6dfd78f2be5e93227b188f5b1b23f4024feb184cab689d94ee65c75f37f8
SHA5123146091c8ea345b9c5908139314074918ad5addb38836154d540f29057a6822154e7eadd7224e655914cc0c46566dd3d76cf1960bd793fe9514839893029259d
-
Filesize
208KB
MD54d0d5aecff8d44e08053d039a27a9009
SHA193afb4b87a2ecaef2d32d71ecabcb868c6859d19
SHA2561b62b136f3519819086de5bf38aafa2c3933b48684ec52ba2a742b470a6b4115
SHA5122cc6a17b44d5c5c945334fc9bc8dcde32a90c78410756623549752886ee9d2474c423c059ca4f09cb8189cdb3c392480e5c5d7c313c866c04b4c1cba00c72603