Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
31/10/2023, 20:10
Static task
static1
Behavioral task
behavioral1
Sample
image005.gz
Resource
win7-20231025-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
image005.gz
Resource
win10v2004-20231020-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
image005.gz
-
Size
2KB
-
MD5
afc9d946caf54a2dfeef9d0aa8e47c38
-
SHA1
2fbaf78ded8beef5e620f94c0c35d92ff6a8decc
-
SHA256
8d5599a2f2f228730787db9cce91c745798fc12034b167f5318ddd0c1b656167
-
SHA512
4fa8567c8b651d0738f6b4b2e802d44159a59eda3ee6ae9115e35e7228b3d68d38f6d2c5486dd76e76567dcff37926f7a6833b38203c526947866b89e5629778
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\.gz\ = "gz_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 88003100000000005957868e110050524f4752417e310000700008000400efbeee3a851a5957868e2a0000003c000000000001000000000000000000460000000000500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c0031000000000059572d891000372d5a697000380008000400efbe59572d8959572d892a0000000e03010000000200000000000000000000000000000037002d005a0069007000000014000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\gz_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\gz_auto_file\shell\open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\gz_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zG.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\gz_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\.gz rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\gz_auto_file\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\gz_auto_file\ rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Applications\7zG.exe rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Applications\7zG.exe\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Applications\7zG.exe\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Applications\7zG.exe\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Applications\7zG.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zG.exe\" \"%1\"" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2656 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2412 7zG.exe Token: 35 2412 7zG.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2656 2156 cmd.exe 29 PID 2156 wrote to memory of 2656 2156 cmd.exe 29 PID 2156 wrote to memory of 2656 2156 cmd.exe 29 PID 2656 wrote to memory of 2412 2656 rundll32.exe 30 PID 2656 wrote to memory of 2412 2656 rundll32.exe 30 PID 2656 wrote to memory of 2412 2656 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\image005.gz1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\image005.gz2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" "C:\Users\Admin\AppData\Local\Temp\image005.gz"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2884