Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

F_Key_Sender.exe

windows7-x64

8

Resubmissions

08/09/2024, 11:54

240908-n2yc3sxarb 8

08/09/2024, 11:49

240908-nze4qavalp 1

08/09/2024, 11:49

240908-ny5yravakl 1

08/09/2024, 11:48

240908-nysneswhme 1

08/09/2024, 11:43

240908-nvnkastglm 8

Analysis

  • max time kernel
    161s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    F_Key_Sender.exe

  • Size

    234KB

  • MD5

    5d168d9c5151ac785599cdae87544cac

  • SHA1

    a8348defb42f5e9ee127d48fc74e7f362ae2edd4

  • SHA256

    200ddcab89956d3d97e74c45765e109e6ee0a18622cdcfbd21844c1676bdc562

  • SHA512

    d27ca55733be3eeaf4d92112bf4051d69922ed26fd04efdb291084045c14ea881e741300b9317f568ad34392d47daca908f32d8c5398a0a5f6ed8cbc3fa3ed9a

  • SSDEEP

    6144:yTPeKCgLOWPAPqF8GLFKCgLOWPAPPFkGh+:yTlCguP28G4CguPNkG0

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\F_Key_Sender.exe
    "C:\Users\Admin\AppData\Local\Temp\F_Key_Sender.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2940
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\system32\takeown.exe
      takeown /f Desktop
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2848
    • C:\Windows\system32\icacls.exe
      icacls Desktop /grant everyone:(f)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell wininit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\system32\wininit.exe
        "C:\Windows\system32\wininit.exe"
        3⤵
          PID:560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2544-12-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2544-13-0x0000000001E90000-0x0000000001E98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2940-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2940-1-0x000000013F0E0000-0x000000013F11C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2940-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2940-3-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2940-4-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2940-5-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2940-6-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2940-7-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

      Filesize

      9.9MB

      Download