Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23/02/2024, 16:08
Static task
static1
Behavioral task
behavioral1
Sample
UEPrereqSetup_x64.7z
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
UEPrereqSetup_x64.7z
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
UEPrereqSetup_x64.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
UEPrereqSetup_x64.exe
Resource
win10v2004-20240221-en
General
-
Target
UEPrereqSetup_x64.7z
-
Size
39.9MB
-
MD5
b7a5dc1dce76ca736ea878b65c690f52
-
SHA1
44b0c01fcd790f663b66952acb18e11b9cae9e45
-
SHA256
eed3682106a52740f17f27bfb177acb0ee88888096f93af0c14a2d5ae52e9e1d
-
SHA512
cdfa3b04961108d91fd38113ba6b9fd11298364baedfac868e383cad62054868d816dae629f4755b25193154de56f1a46654da5505cde0deefe39a962bf9b151
-
SSDEEP
786432:ovGWzOxPTuIaKO0SuzSeChLhnF3cTDprPLAEi2hvO7:ooaKKuzSeC1dF3cTD9DA1IvO7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2980 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2980 7zFM.exe Token: 35 2980 7zFM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2980 7zFM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2980 2192 cmd.exe 29 PID 2192 wrote to memory of 2980 2192 cmd.exe 29 PID 2192 wrote to memory of 2980 2192 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.7z1⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.7z"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2980
-