Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
04/02/2024, 13:23
240204-qm6f9achhj 104/02/2024, 13:18
240204-qkf4kscghk 404/02/2024, 13:13
240204-qf259aadd7 4Analysis
-
max time kernel
68s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
04/02/2024, 13:23
General
-
Target
https://gist.github.com/gitlover10258895656/96fca26121a1d4e3cba45cd705394a1d/archive/eaeea7b267e3195dfec73d4046fa3c35e626e299.zip
Malware Config
Signatures
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Runs net.exe
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://gist.github.com/gitlover10258895656/96fca26121a1d4e3cba45cd705394a1d/archive/eaeea7b267e3195dfec73d4046fa3c35e626e299.zip1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_96fca26121a1d4e3cba45cd705394a1d-eaeea7b267e3195dfec73d4046fa3c35e626e299.zip\96fca26121a1d4e3cba45cd705394a1d-eaeea7b267e3195dfec73d4046fa3c35e626e299\step1.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Shell /t REG_SZ /d c:\step2.bat2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD5b347d74575ebc1eb3fa510b0f7e47254
SHA1308966435076e45dab01df1e14e7e6dd1c8059c8
SHA2567b8a4572f2b33cf9ef16089d21ded13a73cedcefae797868b73a85bc9cd3b640
SHA512ca116e716ab8b7a2339e1015773fd73485b66cb1c0d18f952e04bc725e4a0e44915ee794b0bf6bac8f24a1fcde65425f072fbf38f49f2e45caec07e22c6fa7d4
-
Filesize
344B
MD52d9afa56cd376b7e2353469e3cd46c19
SHA19d3f1e36231b602ac8305130862f50a16e0e61ee
SHA256dd0e3f58f7bc191aa6eff0b39976b58c8481fdf76f1fe1c8d34e97327707a49a
SHA5124aca5c5c7ba711beaaf04ef61c9ef17edc0a6127a08bad3c75a8af4686ecf3f167d7295be2a7664e768d1e07a7b942c46be9c5fa94b9e79d37cb4d84b2e91d0b
-
Filesize
344B
MD5c41ce530c92f36f7ceed3f6be84cf6ee
SHA1567ee37d4a98963266496c5af9296c0dabc34c78
SHA256985ab2cd1035b8152c1c61c7bb2d1fb29eaaf7c2482eba0447cb886ec1ad1333
SHA5127529eb4023b07ccbcae505d628e66d93871f656468398ba1b7c9d454816eb2ca46283acc05eca5d3b4b8fe31d96a000dfeb9853ca51e7c3772dfd564a4c13abf
-
Filesize
344B
MD54ca1f65cd433139af6cb33007fcf22ac
SHA15a67e529a6073e04f07ff5e70a33a44a46846fc7
SHA256e003b009b36f9eea4fce7faf97139be429b92f7c77daa9bbb8b083a9b02ad4a0
SHA512e0b9d8a03e60ddd8bb7335bf017c95ff1d915796b7501fc959e1ee1987fbf1e6864a91e969492cb96c070868a531e45333e66c1189154efbaacefecaa92ab339
-
Filesize
344B
MD532ae045b0997240cfc9da6cdbdb3127b
SHA18ff6ee8d272b1182a447e485f4ad37bd0ceeb57a
SHA2569f6ffcc0ad939237de8a16ddb5e7556f92f91709718ff08c7e7bdb897cdef6ec
SHA5123b8d3614b6eb264dd4a9e2318263682f20d8b5e25a568eb742500a676601b350c94843ef7832484d5529ce8f0416c4e2ed132f5d7331bb0990516c5e258cee5f
-
Filesize
344B
MD54bd3c69ee55c728656ef62147cc67c13
SHA1a624c9adf0126579e3b93ea6af5e464865a6e90a
SHA256089a234b14ecbf8ac1ed2cb1ffc9d610a486de84979740b7682c3a3ae6850cd0
SHA5122a28d71d20be8df60533dfaeaefdac8939c44ace2449a615eeb8003f29c8159e4b83792c59b41ed2263482de8460c99c7f956edfa56d3a7370dde0462178339b
-
Filesize
344B
MD5e7cc5e47c0ac0220fad28792d48db3cc
SHA1299974ee8fa594f49856abdf0c8f5dc025d4b1b2
SHA2561a47e0dc54151df97fe193cfc3c47134d7e1b609b26bd45cd4bc4fa56415f202
SHA5126b725ff690e9a8f57ddf105ad99e3f27b5c7a04a9171da88b41d22b0ea75df88a479d2ac1cf3b996358998312f1dcf4b27877bb4d4137679f5c8d94aa05f3a56
-
Filesize
344B
MD5bd4251bacf34bd998aaecf7bdf27f63e
SHA1ddf937da43bdf8a93017f0b3ffdbff2c1b15b31d
SHA25682963173b6325564c74f4933acd2eefb49fbb099257451d3188f09ea5eefe209
SHA512311c7cc28a275dc71db966ef62f8d1ed7c1b473551e448b670364408ec246b46f063d115f032998f6fe4ec62efab21c14872f66acf9b3723ee5aebdd9315a39f
-
Filesize
344B
MD5e0b0a1a0e7f07f4306b92a4e3097ac9e
SHA1428dc7bd46738a1394a8dcf087171442f6d4c64e
SHA256003a894bc49060f9f34ea8e9dff2e1d58b41d673072378894fcd79d8f4d95169
SHA5120812b4f5fb7a19b3079954c83ca170fba47fd5caec4daf2a028ed5252552c0989b68306dff8766f995a25e3ef15cfc12a43ee08349b628ebaa90454dca7e7d42
-
Filesize
344B
MD54ba97bac85ad24de368c15a8267e43de
SHA19c8682e06c5cf0e7f1abdc242b7dc7c20d088650
SHA25633f2aeba41704d28dfc2e6d590f6791a1c042abf643d152c2a8f1760094d87d6
SHA5124f7ae4cb008b2a3508369dd97e7e11847af41738e541b4492f870a5bbadea0aa10c96167cfc2027b69bcc2da0fecf697048546b4ff685be6ea926142286fd21e
-
Filesize
344B
MD5399e353bfb9f459c49865455cbe600a5
SHA106dad95d4af7c4cf00ca7cc49c0a885617cc3450
SHA256c992988edc40e43af77d2bd26021085248c5f4c649401a8811364f2ce5361cda
SHA512641b6e472aa08a5ce772330f94ba908951b67df8c21083a98f397d05a3e4b993de8d892933f08009eecdc89caf6448d90c676f31908eaf6b7550c996ca2f2ee8
-
Filesize
242B
MD53a5b51d9a414c3a820578cf6c29b4223
SHA1573cfcff92c4c40bb2285f4efad3bfa3b24a61bc
SHA256e497287a60e853c9b9cead61291939e4b7794b4aa3e5ed489bc30909e2bd4623
SHA512638549dde53056a5c7684ae3335f140e9934753582254106cf90a3b75c360e68e2240a8ebc5ca75d57ce3f48cab6ccb5dd883c87fa0f8929ed4ed4954d6cc891
-
Filesize
1KB
MD5bf257f02ce0e9a2eba3ef3659eca1f5f
SHA183c2a7397cb4d7a95bbb4d0d9bad6a9619999847
SHA2560d5b9bea3e0dd8494ee9d54906958634b528d1c478616cd639219caa940867c8
SHA512aff34415592506b6ae6cf1aa1e1bcdbb107687732bca93bc12c57be0535a1bf51d7d79d58316f3205296af2bfd3bc988f4b606a8d9cfc87ae27fbc43dd902ac7
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06