Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

3

win.exe

windows7-x64

5

win.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24/07/2024, 04:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    win.exe

  • Size

    965KB

  • MD5

    2b3ecc21382e825d6fe0812a717717eb

  • SHA1

    f3386531f7726a4f673003bf6cb5806843b76ffb

  • SHA256

    af252d8f2c1166000a47bc52a23ba6dbee07ee4adf4de833f633a33db2aa2152

  • SHA512

    7c1bf7f216861e435e71eaed6f9ff44a8453833c17896e661174b7616a9c25c7da21ad4f8687fe00f39380c7a2bebb854c3d7f47eed14021781ccdfc65dcb7c0

  • SSDEEP

    24576:0GRnx275QAJByPBIA/7oWw7XNyTvvvsjPhWm+2sGb6aYU8XFUiUBJRR7VFrQSgds:0GRna2EByPBIA/7oWw7XNyTvvUbhl+2j

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\win.exe
    "C:\Users\Admin\AppData\Local\Temp\win.exe"
    1⤵
    • Suspicious use of NtCreateThreadExHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c sc start vss
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\system32\sc.exe
        sc start vss
        3⤵
        • Launches sc.exe
        PID:2308
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2880-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2880-0-0x0000000180000000-0x00000001800E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2880-2-0x0000000180000000-0x00000001800E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2880-5-0x0000000180000000-0x00000001800E8000-memory.dmp

    Filesize

    928KB

    Download

  • memory/2880-7-0x0000000180000000-0x00000001800E8000-memory.dmp

    Filesize

    928KB

    Download