Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/01/2024, 15:06
Behavioral task
behavioral1
Sample
f74a126ba4569255303a09f0d338d13c845f55d1887e343b32b7b35ff47d183f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f74a126ba4569255303a09f0d338d13c845f55d1887e343b32b7b35ff47d183f.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
electron.pyc
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
electron.pyc
Resource
win10v2004-20231215-en
General
-
Target
electron.pyc
-
Size
49KB
-
MD5
bb740a4f65e028e5d1690322ab1818ff
-
SHA1
637c1ccdda0bf70e6abc210cb752d9320c9dd8cb
-
SHA256
2ac114d284e3385b560ba6219ce7ee3d383f8476143cdc2acd5c53e842184296
-
SHA512
5a7304dbd3b6f4964855329387c94d3e26ced7d1311f36844cd5e1ee0f07d51d28e0757ce2c38593d37c772e7610a63a8b9009ab07c8226ed34feddcfe529620
-
SSDEEP
1536:t9MWmRrCiwIgg7YVFZLSCuj0yp/AqDlhLxaUSgeC:cEiRz2FZLSCsJ5qUaC
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\pyc_auto_file\ rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 756 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 756 AcroRd32.exe 756 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2596 2896 cmd.exe 30 PID 2896 wrote to memory of 2596 2896 cmd.exe 30 PID 2896 wrote to memory of 2596 2896 cmd.exe 30 PID 2596 wrote to memory of 756 2596 rundll32.exe 32 PID 2596 wrote to memory of 756 2596 rundll32.exe 32 PID 2596 wrote to memory of 756 2596 rundll32.exe 32 PID 2596 wrote to memory of 756 2596 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\electron.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\electron.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\electron.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:756
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD506b34cea5f397aa422b6cdb0fed9abdc
SHA19e7e8a725525d9cc65f7a4f8925778cf5062f712
SHA256881fb817b0e11b1148b78bf986c9d2ea4748a1cfcfbd22ede6afa59d00d29a78
SHA5128108500ec3769f7cac5c4680963857cb86ddbc21ad0e8c29a7cf264b038931a70382eeb560226656d4ddcbf9af6f6167cd27c2aadab9084ee35cab2d7d8a56dc