Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/12/2022, 21:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Ataraxia1339/CommandGen/releases/tag/v2.0
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
https://github.com/Ataraxia1339/CommandGen/releases/tag/v2.0
Resource
win10v2004-20221111-en
General
-
Target
https://github.com/Ataraxia1339/CommandGen/releases/tag/v2.0
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2296 CommandGen-v2.0.exe 2364 CommandGen-v2.0.exe -
Loads dropped DLL 8 IoCs
pid Process 1200 Process not Found 2364 CommandGen-v2.0.exe 2364 CommandGen-v2.0.exe 2364 CommandGen-v2.0.exe 2364 CommandGen-v2.0.exe 2364 CommandGen-v2.0.exe 2364 CommandGen-v2.0.exe 2364 CommandGen-v2.0.exe -
Detects Pyinstaller 4 IoCs
resource yara_rule behavioral1/files/0x000c0000000133ab-54.dat pyinstaller behavioral1/files/0x000c0000000133ab-55.dat pyinstaller behavioral1/files/0x000c0000000133ab-57.dat pyinstaller behavioral1/files/0x000c0000000133ab-59.dat pyinstaller -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\CommandGen-v2.0.exe:Zone.Identifier firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1360 firefox.exe Token: SeDebugPrivilege 1360 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe 1360 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1360 1512 firefox.exe 27 PID 1512 wrote to memory of 1360 1512 firefox.exe 27 PID 1512 wrote to memory of 1360 1512 firefox.exe 27 PID 1512 wrote to memory of 1360 1512 firefox.exe 27 PID 1512 wrote to memory of 1360 1512 firefox.exe 27 PID 1512 wrote to memory of 1360 1512 firefox.exe 27 PID 1512 wrote to memory of 1360 1512 firefox.exe 27 PID 1512 wrote to memory of 1360 1512 firefox.exe 27 PID 1512 wrote to memory of 1360 1512 firefox.exe 27 PID 1512 wrote to memory of 1360 1512 firefox.exe 27 PID 1360 wrote to memory of 384 1360 firefox.exe 29 PID 1360 wrote to memory of 384 1360 firefox.exe 29 PID 1360 wrote to memory of 384 1360 firefox.exe 29 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1708 1360 firefox.exe 30 PID 1360 wrote to memory of 1576 1360 firefox.exe 31 PID 1360 wrote to memory of 1576 1360 firefox.exe 31 PID 1360 wrote to memory of 1576 1360 firefox.exe 31 PID 1360 wrote to memory of 1576 1360 firefox.exe 31 PID 1360 wrote to memory of 1576 1360 firefox.exe 31 PID 1360 wrote to memory of 1576 1360 firefox.exe 31 PID 1360 wrote to memory of 1576 1360 firefox.exe 31
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/Ataraxia1339/CommandGen/releases/tag/v2.01⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/Ataraxia1339/CommandGen/releases/tag/v2.02⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.0.400937706\2077294940" -parentBuildID 20200403170909 -prefsHandle 1176 -prefMapHandle 1168 -prefsLen 1 -prefMapSize 219796 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 1252 gpu3⤵PID:384
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.3.1952350667\507789013" -childID 1 -isForBrowser -prefsHandle 1740 -prefMapHandle 1736 -prefsLen 156 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 1752 tab3⤵PID:1708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.13.1019359244\1667999675" -childID 2 -isForBrowser -prefsHandle 2696 -prefMapHandle 2692 -prefsLen 6938 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 2708 tab3⤵PID:1576
-
-
-
C:\Users\Admin\Downloads\CommandGen-v2.0.exe"C:\Users\Admin\Downloads\CommandGen-v2.0.exe"1⤵
- Executes dropped EXE
PID:2296 -
C:\Users\Admin\Downloads\CommandGen-v2.0.exe"C:\Users\Admin\Downloads\CommandGen-v2.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5740172fbadaf5ec1c087864972779dd4
SHA124dc24efe6b823b3dab6abdac21948096e784a7c
SHA25602c9f0158565034baa66d94ab3bd7b35732c871933ce2b85442639dc9e2ba721
SHA512e59b894eb84ade8943defe17c251087580e882565b57c160df137f6e6a957fc296f6f14e853350db2c17b96d7016cc544f7fde5fc14762c9c90ac19e1f7941dc
-
Filesize
11KB
MD5e6f48279f9721c34af7b74145dd888a8
SHA1a72065e72185db0127717eb8cc70f15feb8de68a
SHA256c6c4529917c20ef5d1c13adefcd3d594198372b765e3766190ce35ec0f9cabc2
SHA51272beb368c205a909b363839a4553fc780e536663df2f19095819f1048d9ebe07de6d3b9b1859143703be233be64537fb117d55a9a9fe4bf7d56f812e71fcf49f
-
Filesize
14KB
MD538edcee1dc735c2259604545fd580aa9
SHA160fe52917c0f94f89cd46e1fc4e5924b79d6f0fb
SHA256ce6855146cba2a1471cb356ae5e249d668243bc5369ea84d2d1902789f7805b3
SHA5121ffe5328bcd91c22a8eae3b3c696a08a46937c359bf8e52497f2ba353ef4b1e791794a878597c8d05212ab7bf15b8105d695280eb7e69fe9071ffd4c373b981f
-
Filesize
12KB
MD52f17d6384b532dfc41b8d80d2605c101
SHA19abd5e43ede2d3c29ce4d394b5259ea25727bd90
SHA2561410ca328d46dd446857a6d89a191eba28bb169f1e0ed12033af3ff5d03dc5a6
SHA5129ea3878cb0ae958d5ac50c238eb96289ffb47f99beb9053ed6e02f548cc71352b91a8ffa0010ed2a0f9b19b40a96927f8d121208e7339598ea91cdb108c7957f
-
Filesize
12KB
MD5202babbfc439861c13377e652a1b5a89
SHA1e68ca975d19c9d6fb6575abc8400d6e8d12814d2
SHA256dec0cb4e7b45d9881179f4ec40b19420edfa8f1e2ef3c7bb25a39a67a0773d46
SHA5121dd136d4a04096346a6c1606d9da456ee3638386fe1303b51924f9dd39dff0a5cff1c4170a82d2e7d7b409d303581f55b38166025222b4746165c029534234c0
-
Filesize
4.3MB
MD5316ce972b0104d68847ab38aba3de06a
SHA1ca1e227fd7f1cfb1382102320dadef683213024b
SHA25634f0e44a0d089587e1ea48c1cc4c3164a1819c6db27a7c1b746af46d6388c26e
SHA512a11da6590a71d977c62b1c26c275763413f6a455e6d85fa052654d05d845dbbe8122bbd8e0a23887f9873d4291382ebbd5df19674ad2dda1cf0ff3206054939b
-
Filesize
986KB
MD5ce2f9a4268bb6bf909978b1f3d2d7486
SHA1fd96b9a0f05325d5c1a01efc0854a4efe359424f
SHA256d2eb64172cdf893cd980dced96d7077578fbd22dcbeaec357ecdf865aa85a8dd
SHA512c66e39f16a4fb04c3d57771ac60bf979f55933e7a33ee4675de5de10819f2f5689927ec09a74724797f058e35b66093f0a03a1235f6298d7016016dc12b5ea7a
-
Filesize
9.2MB
MD5a19b65ddea074ebbae924703fda99919
SHA164c0b6c222ac68e8c9049dbb5c61f0aced5cad10
SHA256d7fc3306baae253a5e933ae3487e1d247e0d056169dbfb195b934a0cdfef9a1c
SHA5124549dfed4a43bf8c7972eeff716b36b4eb2ddcd27ec8aeb5b1a9200b88af1b976358b95ce3760f6c5acde54271d9d8f5d13eeec7768f73dfa5f822f2db9855ae
-
Filesize
9.2MB
MD5a19b65ddea074ebbae924703fda99919
SHA164c0b6c222ac68e8c9049dbb5c61f0aced5cad10
SHA256d7fc3306baae253a5e933ae3487e1d247e0d056169dbfb195b934a0cdfef9a1c
SHA5124549dfed4a43bf8c7972eeff716b36b4eb2ddcd27ec8aeb5b1a9200b88af1b976358b95ce3760f6c5acde54271d9d8f5d13eeec7768f73dfa5f822f2db9855ae
-
Filesize
9.2MB
MD5a19b65ddea074ebbae924703fda99919
SHA164c0b6c222ac68e8c9049dbb5c61f0aced5cad10
SHA256d7fc3306baae253a5e933ae3487e1d247e0d056169dbfb195b934a0cdfef9a1c
SHA5124549dfed4a43bf8c7972eeff716b36b4eb2ddcd27ec8aeb5b1a9200b88af1b976358b95ce3760f6c5acde54271d9d8f5d13eeec7768f73dfa5f822f2db9855ae
-
Filesize
11KB
MD5740172fbadaf5ec1c087864972779dd4
SHA124dc24efe6b823b3dab6abdac21948096e784a7c
SHA25602c9f0158565034baa66d94ab3bd7b35732c871933ce2b85442639dc9e2ba721
SHA512e59b894eb84ade8943defe17c251087580e882565b57c160df137f6e6a957fc296f6f14e853350db2c17b96d7016cc544f7fde5fc14762c9c90ac19e1f7941dc
-
Filesize
11KB
MD5e6f48279f9721c34af7b74145dd888a8
SHA1a72065e72185db0127717eb8cc70f15feb8de68a
SHA256c6c4529917c20ef5d1c13adefcd3d594198372b765e3766190ce35ec0f9cabc2
SHA51272beb368c205a909b363839a4553fc780e536663df2f19095819f1048d9ebe07de6d3b9b1859143703be233be64537fb117d55a9a9fe4bf7d56f812e71fcf49f
-
Filesize
14KB
MD538edcee1dc735c2259604545fd580aa9
SHA160fe52917c0f94f89cd46e1fc4e5924b79d6f0fb
SHA256ce6855146cba2a1471cb356ae5e249d668243bc5369ea84d2d1902789f7805b3
SHA5121ffe5328bcd91c22a8eae3b3c696a08a46937c359bf8e52497f2ba353ef4b1e791794a878597c8d05212ab7bf15b8105d695280eb7e69fe9071ffd4c373b981f
-
Filesize
12KB
MD52f17d6384b532dfc41b8d80d2605c101
SHA19abd5e43ede2d3c29ce4d394b5259ea25727bd90
SHA2561410ca328d46dd446857a6d89a191eba28bb169f1e0ed12033af3ff5d03dc5a6
SHA5129ea3878cb0ae958d5ac50c238eb96289ffb47f99beb9053ed6e02f548cc71352b91a8ffa0010ed2a0f9b19b40a96927f8d121208e7339598ea91cdb108c7957f
-
Filesize
12KB
MD5202babbfc439861c13377e652a1b5a89
SHA1e68ca975d19c9d6fb6575abc8400d6e8d12814d2
SHA256dec0cb4e7b45d9881179f4ec40b19420edfa8f1e2ef3c7bb25a39a67a0773d46
SHA5121dd136d4a04096346a6c1606d9da456ee3638386fe1303b51924f9dd39dff0a5cff1c4170a82d2e7d7b409d303581f55b38166025222b4746165c029534234c0
-
Filesize
4.3MB
MD5316ce972b0104d68847ab38aba3de06a
SHA1ca1e227fd7f1cfb1382102320dadef683213024b
SHA25634f0e44a0d089587e1ea48c1cc4c3164a1819c6db27a7c1b746af46d6388c26e
SHA512a11da6590a71d977c62b1c26c275763413f6a455e6d85fa052654d05d845dbbe8122bbd8e0a23887f9873d4291382ebbd5df19674ad2dda1cf0ff3206054939b
-
Filesize
986KB
MD5ce2f9a4268bb6bf909978b1f3d2d7486
SHA1fd96b9a0f05325d5c1a01efc0854a4efe359424f
SHA256d2eb64172cdf893cd980dced96d7077578fbd22dcbeaec357ecdf865aa85a8dd
SHA512c66e39f16a4fb04c3d57771ac60bf979f55933e7a33ee4675de5de10819f2f5689927ec09a74724797f058e35b66093f0a03a1235f6298d7016016dc12b5ea7a
-
Filesize
9.2MB
MD5a19b65ddea074ebbae924703fda99919
SHA164c0b6c222ac68e8c9049dbb5c61f0aced5cad10
SHA256d7fc3306baae253a5e933ae3487e1d247e0d056169dbfb195b934a0cdfef9a1c
SHA5124549dfed4a43bf8c7972eeff716b36b4eb2ddcd27ec8aeb5b1a9200b88af1b976358b95ce3760f6c5acde54271d9d8f5d13eeec7768f73dfa5f822f2db9855ae