Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
23s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/02/2024, 14:46 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
setup.json
Resource
win7-20231215-en
windows7-x64
7 signatures
30 seconds
General
-
Target
setup.json
-
Size
28B
-
MD5
f4993c1cb73612115a9393e7f895a543
-
SHA1
550341774c8c36ff1ebd6194df8448013ebb9b80
-
SHA256
878dc7a5b708cbc7e9ab2465587c5a76f70b7e8bcbea871dde7583da6246940d
-
SHA512
d73633e88f3cf504733b856b89a151a38d02f75a02b31684075b76344d72947353b0f70a14ebda03586a952fd6902a5d7734b0cd69382078e7bd85af6b9d6d0c
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3004 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe 3004 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2680 3040 cmd.exe 29 PID 3040 wrote to memory of 2680 3040 cmd.exe 29 PID 3040 wrote to memory of 2680 3040 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\setup.json1⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\setup.json2⤵
- Modifies registry class
PID:2680
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3004