Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
8da535a4904529207369a3f35a99969b.jad
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8da535a4904529207369a3f35a99969b.jad
Resource
win10v2004-20231222-en
General
-
Target
8da535a4904529207369a3f35a99969b.jad
-
Size
68KB
-
MD5
8da535a4904529207369a3f35a99969b
-
SHA1
bcfe379ae6b516b646b90d12ef8293769ec44a69
-
SHA256
48c30cfdf9294fe303c3e1efd83ddeba533f6934cb09e48e2a593587c7eed592
-
SHA512
21ee380e89a7d24e83c8b3b9763b42040b65aeb80587e0351fd6b92cebccbd16af229201b1ab7cc0b4e09fb7c200da10aee24591c697039787b68c13ecee3a0f
-
SSDEEP
1536:EjUcFC+MEc9wy7GtW2insgvrGoZNGtW2insgvrGoZb:EjUctoj7ZsArG8ZsArGM
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.jad rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\jad_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2644 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2644 AcroRd32.exe 2644 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1684 wrote to memory of 3012 1684 cmd.exe 29 PID 1684 wrote to memory of 3012 1684 cmd.exe 29 PID 1684 wrote to memory of 3012 1684 cmd.exe 29 PID 3012 wrote to memory of 2644 3012 rundll32.exe 30 PID 3012 wrote to memory of 2644 3012 rundll32.exe 30 PID 3012 wrote to memory of 2644 3012 rundll32.exe 30 PID 3012 wrote to memory of 2644 3012 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\8da535a4904529207369a3f35a99969b.jad1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\8da535a4904529207369a3f35a99969b.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\8da535a4904529207369a3f35a99969b.jad"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5614c4ec0cff0a83a577908859847423b
SHA1aff197f2ec465ce54f53a9fd0d635ff2918971bb
SHA2568385d51541dd6880c97991bfdfbf66a9367fd0cd8b85aee43ad951da950578e8
SHA512706b565bde8273441b7d91ed429cb050c49ef9f59217e10683863c2bcd1f48aee722cd5f73703f83996e01d252f57010c7d9b991beb3be91329c1a4cd182e8bd