Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
02/08/2023, 07:16
Static task
static1
Behavioral task
behavioral1
Sample
autoit3.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
autoit3.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
rsa2.au3
Resource
win7-20230712-en
Behavioral task
behavioral4
Sample
rsa2.au3
Resource
win10v2004-20230703-en
General
-
Target
rsa2.au3
-
Size
754KB
-
MD5
9720ca39505213d841f6285a8138411f
-
SHA1
ac677d7a325085bbed8becb73374ef9c37eba68e
-
SHA256
82cded542f1769d4962979d307e1eec747ad83a25691227a7395d2286547e02c
-
SHA512
00ac130f350eb25416ec2e1c174e53d759867cdf6859a60022abbc8642111275589b482ab4b2ca25990906a2feb4a5a50e40533b6a273f7a2ab3575e66717fee
-
SSDEEP
12288:BIk8KnbVr8q2kIUUVR47VT6WNfZtbff2IW0nzQNIeBaEl20E:BI6bVgqIuQmvbfWGzgfaElRE
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\au3_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\au3_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.au3 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.au3\ = "au3_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\au3_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\au3_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\au3_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\au3_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2864 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2864 AcroRd32.exe 2864 AcroRd32.exe 2864 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2472 2668 cmd.exe 29 PID 2668 wrote to memory of 2472 2668 cmd.exe 29 PID 2668 wrote to memory of 2472 2668 cmd.exe 29 PID 2472 wrote to memory of 2864 2472 rundll32.exe 30 PID 2472 wrote to memory of 2864 2472 rundll32.exe 30 PID 2472 wrote to memory of 2864 2472 rundll32.exe 30 PID 2472 wrote to memory of 2864 2472 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\rsa2.au31⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\rsa2.au32⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\rsa2.au3"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD552564c14c6e4728a9fad0daa0fe7612a
SHA11b722f0ba55d1c3ea9aaa1654a6e97c00e05b4aa
SHA256c3235e33bc494f221d31f2ca24aeba4eed5a632ce50568d65f9df266580adfe4
SHA5125422c19b38cbaf760b80e4da31b778013fcd4b158baad2d42455f5576c59930f2b3c72604993d745a4fc443a75d214f4f7288b66ccb67366efb24f9dd9e26629