Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

0b9f153a21...8e.exe

windows7-x64

8

0b9f153a21...8e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28/07/2024, 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b9f153a21e94859500bfde94d1bd93e7ff44716b9f12c5271576e41f34aec8e.exe

  • Size

    10.0MB

  • MD5

    0df2bec1762644d811440aeac1bf570f

  • SHA1

    4b185a16e75369435b9816a111d2b02445bbb041

  • SHA256

    0b9f153a21e94859500bfde94d1bd93e7ff44716b9f12c5271576e41f34aec8e

  • SHA512

    d6c2a56c6eed704e5d092484c7151b60d95f915e7069693d10e14395bdbf96f579a212fa9978a5996ad443cb097c85fe17d530749dbb93410935491be5d6bfa9

  • SSDEEP

    196608:LsPk1QL2ginFlPuSFQgm3asoogknF6hBTv8KGg:wPMQLXujPuSFdmK1eqo

Score
8/10
evasionexecution

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 16 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b9f153a21e94859500bfde94d1bd93e7ff44716b9f12c5271576e41f34aec8e.exe
    "C:\Users\Admin\AppData\Local\Temp\0b9f153a21e94859500bfde94d1bd93e7ff44716b9f12c5271576e41f34aec8e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\system32\cmd.exe
      cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1684
    • C:\Windows\system32\cmd.exe
      cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
    • C:\Windows\system32\cmd.exe
      cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\system32\taskkill.exe
        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
    • C:\Windows\system32\cmd.exe
      cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\system32\sc.exe
        sc stop HTTPDebuggerPro
        3⤵
        • Launches sc.exe
        PID:2196
    • C:\Windows\system32\cmd.exe
      cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\system32\taskkill.exe
        taskkill /IM HTTPDebuggerSvc.exe /F
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3012
    • C:\Windows\system32\cmd.exe
      cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
      2⤵
        PID:2056
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\0b9f153a21e94859500bfde94d1bd93e7ff44716b9f12c5271576e41f34aec8e.exe" MD5
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\0b9f153a21e94859500bfde94d1bd93e7ff44716b9f12c5271576e41f34aec8e.exe" MD5
          3⤵
            PID:320
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2652
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2772
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2640
        • C:\Windows\system32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2720
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2660
        • C:\Windows\system32\cmd.exe
          cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
          2⤵
            PID:2000
            • C:\Windows\system32\sc.exe
              sc stop HTTPDebuggerPro
              3⤵
              • Launches sc.exe
              PID:2864
          • C:\Windows\system32\cmd.exe
            cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
            2⤵
              PID:2608
              • C:\Windows\system32\taskkill.exe
                taskkill /IM HTTPDebuggerSvc.exe /F
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1804
            • C:\Windows\system32\cmd.exe
              cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
              2⤵
                PID:2604
              • C:\Windows\system32\cmd.exe
                cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                2⤵
                  PID:1608
                  • C:\Windows\system32\taskkill.exe
                    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1144
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                  2⤵
                    PID:316
                    • C:\Windows\system32\taskkill.exe
                      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2020
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                    2⤵
                      PID:1816
                      • C:\Windows\system32\taskkill.exe
                        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2596
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                      2⤵
                        PID:2516
                        • C:\Windows\system32\sc.exe
                          sc stop HTTPDebuggerPro
                          3⤵
                          • Launches sc.exe
                          PID:2888
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                        2⤵
                          PID:1748
                          • C:\Windows\system32\taskkill.exe
                            taskkill /IM HTTPDebuggerSvc.exe /F
                            3⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2788
                        • C:\Windows\system32\cmd.exe
                          cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                          2⤵
                            PID:1576
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                            2⤵
                              PID:2708
                              • C:\Windows\system32\taskkill.exe
                                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:836
                            • C:\Windows\system32\cmd.exe
                              cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                              2⤵
                                PID:1536
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                  3⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:952
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                2⤵
                                  PID:2140
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1188
                                • C:\Windows\system32\cmd.exe
                                  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                  2⤵
                                    PID:2012
                                    • C:\Windows\system32\sc.exe
                                      sc stop HTTPDebuggerPro
                                      3⤵
                                      • Launches sc.exe
                                      PID:1884
                                  • C:\Windows\system32\cmd.exe
                                    cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                    2⤵
                                      PID:2036
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill /IM HTTPDebuggerSvc.exe /F
                                        3⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1940
                                    • C:\Windows\system32\cmd.exe
                                      cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                      2⤵
                                        PID:1376

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • memory/2536-0-0x0000000077460000-0x0000000077462000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/2536-4-0x0000000077460000-0x0000000077462000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/2536-2-0x0000000077460000-0x0000000077462000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/2536-6-0x00000001400BB000-0x00000001407FE000-memory.dmp

                                      Filesize

                                      7.3MB

                                      Download

                                    • memory/2536-5-0x000000013FFD0000-0x0000000141201000-memory.dmp

                                      Filesize

                                      18.2MB

                                      Download

                                    • memory/2536-10-0x000000013FFD0000-0x0000000141201000-memory.dmp

                                      Filesize

                                      18.2MB

                                      Download

                                    • memory/2536-11-0x00000001400BB000-0x00000001407FE000-memory.dmp

                                      Filesize

                                      7.3MB

                                      Download

                                    • memory/2536-12-0x000000013FFD0000-0x0000000141201000-memory.dmp

                                      Filesize

                                      18.2MB

                                      Download