Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe
Resource
win10v2004-20240802-en
General
-
Target
353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe
-
Size
977KB
-
MD5
fea83f260f2972644d1dd41309f41200
-
SHA1
859123bbf12e66d283c9a991f1ee62e8f7061ac5
-
SHA256
353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270
-
SHA512
96d6676794b3a19506749ac7723a028a4c5f199ee414f80811f7cf01b4e2376917d444a0e0dc31d95439d5f41a2b0ba47fd05abac147912ee295a026410fa4bc
-
SSDEEP
24576:QqNfcE3qokV5EkITpoWZHUkAjVhMfo9NWtxIVSfb+PP4Iyv10cv:QSkWFEEXyZVhf94txePOecv
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tigzk = "C:\\Users\\Admin\\AppData\\Roaming\\Tigzk.exe" 353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3052 353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3052 353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe Token: SeDebugPrivilege 3052 353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3052 wrote to memory of 5208 3052 353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe 30 PID 3052 wrote to memory of 5208 3052 353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe 30 PID 3052 wrote to memory of 5208 3052 353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe"C:\Users\Admin\AppData\Local\Temp\353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3052 -s 5962⤵PID:5208
-