Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
0bf7f7695cd1d80315142a5c18149827.jad
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0bf7f7695cd1d80315142a5c18149827.jad
Resource
win10v2004-20231222-en
General
-
Target
0bf7f7695cd1d80315142a5c18149827.jad
-
Size
53KB
-
MD5
0bf7f7695cd1d80315142a5c18149827
-
SHA1
43986faae200e9926e8281368dfc4d4b1c562de1
-
SHA256
e48bcb097d8a2ec6732d467ca0710cc9bf64aebd521f5233d0e14e73dcfae98d
-
SHA512
e0970d41e9fc811f5dac026654aff07152ed615003706a61145750c968278eb2b72439d312087238c46c298a36543af68802ac2c81b19f48d73d09893f13a756
-
SSDEEP
1536:8Snj0bLB9eeYoDMMGlouHKzmXdjUS5s7hg0bv:8SnQxYoD+nXNUo0bv
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.jad rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2716 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2716 AcroRd32.exe 2716 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2980 wrote to memory of 1928 2980 cmd.exe 29 PID 2980 wrote to memory of 1928 2980 cmd.exe 29 PID 2980 wrote to memory of 1928 2980 cmd.exe 29 PID 1928 wrote to memory of 2716 1928 rundll32.exe 30 PID 1928 wrote to memory of 2716 1928 rundll32.exe 30 PID 1928 wrote to memory of 2716 1928 rundll32.exe 30 PID 1928 wrote to memory of 2716 1928 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\0bf7f7695cd1d80315142a5c18149827.jad1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\0bf7f7695cd1d80315142a5c18149827.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0bf7f7695cd1d80315142a5c18149827.jad"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2716
-
-