Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
14/05/2023, 22:29
230514-2ehk1aga9s 514/05/2023, 22:26
230514-2cs9qaga8v 814/05/2023, 22:23
230514-2aznqadg58 314/05/2023, 22:19
230514-18hbnaga6y 814/05/2023, 22:15
230514-16m45aga5w 314/05/2023, 22:12
230514-14s8csdg37 514/05/2023, 22:09
230514-121vesdg34 3Analysis
-
max time kernel
78s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14/05/2023, 22:15
Static task
static1
Behavioral task
behavioral1
Sample
dump.pcapng
Resource
win7-20230220-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
dump.pcapng
Resource
win10v2004-20230220-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
dump.pcapng
-
Size
38KB
-
MD5
7b4a96b7864203fa0b1b84703ca55996
-
SHA1
aff893300475cf0a66b7b4f4dec812c0ef8c41c0
-
SHA256
5c87f76fca785e5ccca4c7aa3c3e2ba9fedbc6ee7ae48b3f5d75b3831a211353
-
SHA512
1f4383f798a46c656097f0acf86896885f3f85c674fe2f69ef620f860ad8caebfb7bf337778f8d36d94847fd50f9b97a4f9482d77a08e44aa46d9c5431dc08c4
-
SSDEEP
768:7uC8U+CYAV18LZrHifO6fU3AKwqlGP5IHr:758UTMLFiO6fU7BYyL
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 1940 taskkill.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.pcapng\ = "pcapng_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file\ = "among us" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.pcapng rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\pcapng_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1940 taskkill.exe Token: SeDebugPrivilege 1988 taskmgr.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe 1988 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1320 AcroRd32.exe 1320 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1052 wrote to memory of 1656 1052 cmd.exe 29 PID 1052 wrote to memory of 1656 1052 cmd.exe 29 PID 1052 wrote to memory of 1656 1052 cmd.exe 29 PID 1656 wrote to memory of 1320 1656 rundll32.exe 30 PID 1656 wrote to memory of 1320 1656 rundll32.exe 30 PID 1656 wrote to memory of 1320 1656 rundll32.exe 30 PID 1656 wrote to memory of 1320 1656 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\dump.pcapng1⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\dump.pcapng2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\dump.pcapng"3⤵
- Suspicious use of SetWindowsHookEx
PID:1320
-
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im csrss.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1988