Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 16:00
Static task
static1
Behavioral task
behavioral1
Sample
2b4f9846a8e513ca7ac8d7709892319a.jad
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2b4f9846a8e513ca7ac8d7709892319a.jad
Resource
win10v2004-20231215-en
General
-
Target
2b4f9846a8e513ca7ac8d7709892319a.jad
-
Size
201KB
-
MD5
2b4f9846a8e513ca7ac8d7709892319a
-
SHA1
7bc8e1be8aef1cbb1155566d03f993d0c4fefae1
-
SHA256
40db1be96e58b449b95f27cf0b6285899679b62625e4930e91650e556c175e52
-
SHA512
8b393c5bf1aa6f4366a2d5c65cd7f84de90d020cd7cf25af87b84c490a18a7485b67bede85428b08818bb4d3624267c007de9dfa7c285121c98f32bec193e12f
-
SSDEEP
6144:PusOedimiPHsNgD5iJ0v/Bri/xKrDcDshHM7iwb:mEimmMitZv/Bri/xOdM7iwb
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.jad rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2716 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2716 AcroRd32.exe 2716 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2780 2480 cmd.exe 29 PID 2480 wrote to memory of 2780 2480 cmd.exe 29 PID 2480 wrote to memory of 2780 2480 cmd.exe 29 PID 2780 wrote to memory of 2716 2780 rundll32.exe 30 PID 2780 wrote to memory of 2716 2780 rundll32.exe 30 PID 2780 wrote to memory of 2716 2780 rundll32.exe 30 PID 2780 wrote to memory of 2716 2780 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\2b4f9846a8e513ca7ac8d7709892319a.jad1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\2b4f9846a8e513ca7ac8d7709892319a.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2b4f9846a8e513ca7ac8d7709892319a.jad"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b821b91ba8a7d2e836e5d9405d880da3
SHA1ac38584c297cfbd4f9639157f4806a47a61af18f
SHA256e68f9d09cee12e8ba9939f74deb4d8f6a335f999f48cd7fd21c8a34a5efc8020
SHA512020897ff6618393f0e21288cd7895c8d5d886613c98b2c1903ade10a4c34ff406a6d703079c6d973e5d1d2bdbb20b2d86d1dd213c734b8fe34b13da41385bc66