Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/10/2023, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
reverseshell.py
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
reverseshell.py
Resource
win10v2004-20230915-en
General
-
Target
reverseshell.py
-
Size
2KB
-
MD5
5b0f7c55b32f74966ca3593dc236c63c
-
SHA1
498b5e48f88f6aa4a871a0c1dfbbe6f5e75a8a53
-
SHA256
5dc44dc6cc37deb0a6bc5f053163b9eb5b90b9f28ab34c0d9751813152b87c04
-
SHA512
1ff33b0e766f806c60e1cb6adeea653ef70b4872f736122744f64a020ec4d694750bf4efe106ca95fb69ca6a4266bd1db066a0cea751e0167e45b4dac45dedb9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\py_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2684 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2684 AcroRd32.exe 2684 AcroRd32.exe 2684 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1672 wrote to memory of 2768 1672 cmd.exe 29 PID 1672 wrote to memory of 2768 1672 cmd.exe 29 PID 1672 wrote to memory of 2768 1672 cmd.exe 29 PID 2768 wrote to memory of 2684 2768 rundll32.exe 30 PID 2768 wrote to memory of 2684 2768 rundll32.exe 30 PID 2768 wrote to memory of 2684 2768 rundll32.exe 30 PID 2768 wrote to memory of 2684 2768 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\reverseshell.py1⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\reverseshell.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\reverseshell.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ec43d2a6292bfada7e4b22d21b8754c2
SHA10de67b697441f4380803553dda9620854dc7232b
SHA2569cc78d8bc08fe6c58f39c19238e570c95cb7d362d2cf0ee71727b098ad4e3819
SHA512083fea4948cb62a9265c990930c533fa2cc7c0a7be627322da3804d3f04f2c3359cfdf533b1227278011dd546141485e95036d3ab684028e5fea045fcfb7bdf8