Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/02/2024, 20:46
Behavioral task
behavioral1
Sample
Gusnabo.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Gusnabo.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Gusnabo.pyc
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Gusnabo.pyc
Resource
win10v2004-20231222-en
General
-
Target
Gusnabo.pyc
-
Size
32KB
-
MD5
30868f3b74e81f564aff3a4d18314b48
-
SHA1
84f08f784808d881434af14cc98f7bb5a46b6ef2
-
SHA256
3e86aeed09b78f79e8b0782134dfd62e56c854b042eedcbef7ac105402934e90
-
SHA512
d659b2c070a1408b7d6d90cfeb7ba04b3b99807235fad43de8012034f7bc8c78d04e4d40a78fa70ad16a8c0dfbd9c3fc8d0e3ceb0d9df22738b1b8bac8d6b5f8
-
SSDEEP
768:L83nrm2VsfNEiyAuAfKFMrRtfqtvEwS7bnjerAroaHDsIAvN8YC06X:I3r0e3aKFcfDwS7fOPviYD6X
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2832 2068 cmd.exe 29 PID 2068 wrote to memory of 2832 2068 cmd.exe 29 PID 2068 wrote to memory of 2832 2068 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Gusnabo.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Gusnabo.pyc2⤵
- Modifies registry class
PID:2832
-