Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
14/05/2023, 22:29
230514-2ehk1aga9s 514/05/2023, 22:26
230514-2cs9qaga8v 814/05/2023, 22:23
230514-2aznqadg58 314/05/2023, 22:19
230514-18hbnaga6y 814/05/2023, 22:15
230514-16m45aga5w 314/05/2023, 22:12
230514-14s8csdg37 514/05/2023, 22:09
230514-121vesdg34 3Analysis
-
max time kernel
151s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14/05/2023, 22:12
Static task
static1
Behavioral task
behavioral1
Sample
dump.pcapng
Resource
win7-20230220-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
dump.pcapng
Resource
win10v2004-20230220-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
dump.pcapng
-
Size
38KB
-
MD5
7b4a96b7864203fa0b1b84703ca55996
-
SHA1
aff893300475cf0a66b7b4f4dec812c0ef8c41c0
-
SHA256
5c87f76fca785e5ccca4c7aa3c3e2ba9fedbc6ee7ae48b3f5d75b3831a211353
-
SHA512
1f4383f798a46c656097f0acf86896885f3f85c674fe2f69ef620f860ad8caebfb7bf337778f8d36d94847fd50f9b97a4f9482d77a08e44aa46d9c5431dc08c4
-
SSDEEP
768:7uC8U+CYAV18LZrHifO6fU3AKwqlGP5IHr:758UTMLFiO6fU7BYyL
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs
pid Process 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 3 IoCs
pid Process 1432 taskkill.exe 1124 taskkill.exe 1200 taskkill.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.pcapng rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.pcapng\ = "pcapng_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 752 taskmgr.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 1776 shutdown.exe Token: SeRemoteShutdownPrivilege 1776 shutdown.exe Token: SeDebugPrivilege 1124 taskkill.exe Token: SeDebugPrivilege 752 taskmgr.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe -
Suspicious use of SendNotifyMessage 29 IoCs
pid Process 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe 752 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1872 AcroRd32.exe 1872 AcroRd32.exe 1872 AcroRd32.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1728 wrote to memory of 1028 1728 cmd.exe 29 PID 1728 wrote to memory of 1028 1728 cmd.exe 29 PID 1728 wrote to memory of 1028 1728 cmd.exe 29 PID 1028 wrote to memory of 1872 1028 rundll32.exe 30 PID 1028 wrote to memory of 1872 1028 rundll32.exe 30 PID 1028 wrote to memory of 1872 1028 rundll32.exe 30 PID 1028 wrote to memory of 1872 1028 rundll32.exe 30 PID 1540 wrote to memory of 1776 1540 cmd.exe 34 PID 1540 wrote to memory of 1776 1540 cmd.exe 34 PID 1540 wrote to memory of 1776 1540 cmd.exe 34 PID 1540 wrote to memory of 1200 1540 cmd.exe 36 PID 1540 wrote to memory of 1200 1540 cmd.exe 36 PID 1540 wrote to memory of 1200 1540 cmd.exe 36 PID 1540 wrote to memory of 1432 1540 cmd.exe 37 PID 1540 wrote to memory of 1432 1540 cmd.exe 37 PID 1540 wrote to memory of 1432 1540 cmd.exe 37 PID 1540 wrote to memory of 1124 1540 cmd.exe 38 PID 1540 wrote to memory of 1124 1540 cmd.exe 38 PID 1540 wrote to memory of 1124 1540 cmd.exe 38 PID 1540 wrote to memory of 752 1540 cmd.exe 40 PID 1540 wrote to memory of 752 1540 cmd.exe 40 PID 1540 wrote to memory of 752 1540 cmd.exe 40
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\dump.pcapng1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\dump.pcapng2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\dump.pcapng"3⤵
- Suspicious use of SetWindowsHookEx
PID:1872
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\shutdown.exeshutdown -s -t 99992⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\system32\taskkill.exetaskkill.exe2⤵
- Kills process with taskkill
PID:1200
-
-
C:\Windows\system32\taskkill.exetaskkill /?2⤵
- Kills process with taskkill
PID:1432
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im csrss.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\system32\taskmgr.exetaskmgr2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:752
-