Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

Install.bat

windows7-x64

8

Install.bat

windows10-2004-x64

1

Analysis

  • max time kernel
    166s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/02/2024, 04:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Install.bat

  • Size

    21B

  • MD5

    d5f0fc9e8f9a3ee577d2eb161e8f1cc6

  • SHA1

    96bae652bc27c60712888a48247c683a4bc93e28

  • SHA256

    a426cb7764d384f490700bdfa7304c427bd2c9e5677d3e684eefe5ce587ee3e5

  • SHA512

    4e6ddf9be6413e54b5e5b3e9962b982a07513ecdb3ad75cce5415cc033dc953f4070ccdce4114709027212b82900a4052b443fa5931058a6d705b3691835e916

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 58 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Install.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\system32\PnPutil.exe
      pnputil -i -a *.inf
      2⤵
        PID:2852
    • C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe
      "C:\Program Files (x86)\Microsoft Office\Office14\Groove.exe" /TrayOnly /NoLogon
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
        "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1332
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Windows\SysWOW64\dwwin.exe
          C:\Windows\system32\dwwin.exe -x -s 1332
          3⤵
            PID:1964
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Program Files\Microsoft Games\solitaire\solitaire.exe
          "C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
          2⤵
          • Drops desktop.ini file(s)
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1212
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            3⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2772
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.0.1840483029\1937750389" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {828fa51f-92e3-4c63-a41c-501fbf84d18b} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 1308 44d9758 gpu
              4⤵
                PID:1676
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.1.1537843068\356880676" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64cdd4f9-4daa-47c6-861f-b343169ea6c5} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 1484 d70a58 socket
                4⤵
                  PID:2868
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.2.283052998\1485832936" -childID 1 -isForBrowser -prefsHandle 2016 -prefMapHandle 2012 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9815e83-a2a9-422f-a649-ce8b1b0d0006} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 2064 1a051358 tab
                  4⤵
                    PID:1976
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.3.1114332734\534193265" -childID 2 -isForBrowser -prefsHandle 1076 -prefMapHandle 1080 -prefsLen 26046 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3659a2de-3d29-46ab-8e2c-7c069ac3503c} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 2436 43fb958 tab
                    4⤵
                      PID:2024
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2772.4.75529781\1126327385" -childID 3 -isForBrowser -prefsHandle 2556 -prefMapHandle 2484 -prefsLen 26046 -prefMapSize 233444 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {864453cd-759b-401b-85bb-4c9af0932022} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" 2568 d62b58 tab
                      4⤵
                        PID:2328

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2BEF7857-0BAE-480D-BE49-4F3F3BE80C1E}.FSD
                  Filesize

                  128KB

                  MD5

                  fdd63c63fba0b4d85d58c059429efa75

                  SHA1

                  fea7edda522beb25560f82af938d9390fdf7f825

                  SHA256

                  372fcfdc5435a50b36ec3cee692e4f029c387282e40151d17a13abb70ebb0fd2

                  SHA512

                  8e849446c00ece98f8bb28212fe8a8d1ad223749d573d0c5dca0f6b44ef42cf5f1cd74e127a88090e9237e78f8d9947110171fcbf3212ce2f03ab1ee6fa57891

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
                  Filesize

                  128KB

                  MD5

                  3d208a48bcba4e37806c1a8bd2916c1a

                  SHA1

                  263ddf6479d090c8324346a0be42f7ea55f7d962

                  SHA256

                  b4ea9c40e4ab86b6de55b7f4651222179ce683433084ecb08c11354077d8ba3d

                  SHA512

                  ffeb93034a28751f144231446a439c54ce79af93acc6aa64b87ee6870d869461e104211274fd3bb69219d4b27ab18c0cb924d2c7f5eacefbea2acf81a3b5cc46

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0648D01C-8FB3-4085-8E35-4F6101EC5B90}.FSD
                  Filesize

                  128KB

                  MD5

                  c9c559b0d9fff52d7aa0346da3ce151d

                  SHA1

                  46040685117c52212a33b965d425abe42f22fc27

                  SHA256

                  92d5505a2605afbe553d00a0f38acb11b5b938fa8eae1c4950df2d88d5fbf01e

                  SHA512

                  bd2ac66e5d9e4c1c50f7ef421877f79b150b90abbc8a63db32a21afb6a9c3b138b85fbee90f187e2009ac275e2113a636dea023e05f9c0b72a8d77c43b497c22

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\259468210.cvr
                  Filesize

                  560B

                  MD5

                  cf0f31fa02ec7115aba882f1ebe4bce6

                  SHA1

                  232f9b4b171e9a0a0ddb7900ac6ebe6f7889c3c7

                  SHA256

                  e322cb41cd5d9f28184988f5400d831bb520e0c03adc3be283893ec26415492a

                  SHA512

                  6b2beae2de1e9a1f28b4e881802790b6f05d09bdde8067a620aa34ae1598c8727ad162c5ef13b27905729d17b5ae149932a7aa97d9f1b8d0811ffb34baee7c77

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\{81ED87DB-92E6-4138-BAD6-72B5E87C06DF}
                  Filesize

                  128KB

                  MD5

                  f9f6fc433197c6857f7ad9b2ff2d333b

                  SHA1

                  283f83a0f3c5daabb2ed2a9e2232697b6045a9d3

                  SHA256

                  a05505a1e5e8feb46b1292da14b6cb7866fde6b43608b358fa0a7690e5d6470f

                  SHA512

                  c689d844ed6334286357b2f0286e20b7b17cf1f6a2c3bd5f6fb0e8b097dfc460983f556efdd3c3d480d55d31b2f00503f5659d540f3b8d37ec75af0261831ff3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m9nu9nej.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  2KB

                  MD5

                  9b47fb0f4dba5a8bc1473d35c78352f7

                  SHA1

                  2e8cc39dcd8ad43b42e89928c868a085dd8854b5

                  SHA256

                  8e022d9431b64dd7279eb3b9c790cddfbf4e126ddfe98408ee0cf4dbd478864e

                  SHA512

                  ad7d04566257b42d4b9c7c14abef35dc56e4bb26351f7821bf871c486e43fff064bca182a59cf1a9da78f6f2647ea8e5d2279df9be465b8a4ca0dac77f69dc03

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m9nu9nej.default-release\datareporting\glean\pending_pings\5c30038a-1e15-4b7c-95c0-60afc38d182a
                  Filesize

                  11KB

                  MD5

                  5e3b54bce78d82e4b9419bc979f651f4

                  SHA1

                  79c8813c36cda8fc6327f2e278e6e1ab4e462206

                  SHA256

                  807e01285855164d92ff8ef690a1f0259554ec212d8972001213407874afe834

                  SHA512

                  a6a14738cb748b5b03aeffccfcd396bdf55ee25d88b241455bb6599bc1b0c79a63c7ac4438752693a85bf87f225f00ab86f659a764813cb1f5dc1f6bd57da5ee

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m9nu9nej.default-release\datareporting\glean\pending_pings\7d44e463-b595-4fe0-82e4-11f1c3886549
                  Filesize

                  745B

                  MD5

                  6b3d7b3c7f34d826c5a3e0677cac90c9

                  SHA1

                  d1d2e30be277f4e0b23d901ed41cfadb67586073

                  SHA256

                  d40f1716d5fa50be60b96fd0fe6f2ef84012f41b86768782b57755bfeab423f6

                  SHA512

                  5209ba2fccd5a3d39f816ac4dd6e85e1d2b6bd1145a43448e762b0bd9ba2ea276131292b89910327286d24540ba85d402fa6449dbb929828d7c60c35adf4b063

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m9nu9nej.default-release\sessionstore.jsonlz4
                  Filesize

                  832B

                  MD5

                  40f7d02536ff9d73290a6c56b57660d5

                  SHA1

                  8198d22986720141860c9dad14306505efe9e6a2

                  SHA256

                  055cd88bf664d90fe8b96fffbea1ae4a0a2e5e3fe057c556f98789e8151db541

                  SHA512

                  b1300dc1a3fcf23e600149e24d31f40e40bee76e1e298dc650dc7b5a526f20fa24c4177d7f873f5983c2a3f258a6a457664127fb61f412c7cce13e14b8b947cf

                  Download Submit

                • memory/1212-90-0x0000000001E30000-0x0000000001E3A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-87-0x00000000006C0000-0x00000000006CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-68-0x00000000006C0000-0x00000000006CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-66-0x00000000006C0000-0x00000000006CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-65-0x00000000006B0000-0x00000000006B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1212-69-0x00000000006C0000-0x00000000006CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-71-0x0000000001E30000-0x0000000001E3A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-72-0x0000000001E30000-0x0000000001E3A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-70-0x0000000001E30000-0x0000000001E3A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-73-0x0000000001E30000-0x0000000001E3A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-77-0x000007FEF6990000-0x000007FEF6AC1000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/1212-79-0x00000000000D0000-0x00000000001D0000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/1212-113-0x00000000006C0000-0x00000000006C2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1212-83-0x00000000006C0000-0x00000000006CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-84-0x00000000006B0000-0x00000000006B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1212-85-0x00000000006C0000-0x00000000006CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-86-0x00000000006C0000-0x00000000006CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-67-0x00000000006C0000-0x00000000006CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-88-0x00000000006C0000-0x00000000006CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-89-0x00000000006C0000-0x00000000006CA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-95-0x000007FEF6990000-0x000007FEF6AC1000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/1212-92-0x0000000001E30000-0x0000000001E3A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-91-0x0000000001E30000-0x0000000001E3A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-94-0x0000000001E30000-0x0000000001E3A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1212-93-0x0000000001E30000-0x0000000001E3A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1656-82-0x00000000040C0000-0x00000000040C1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1656-114-0x0000000001D60000-0x0000000001D70000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1656-64-0x00000000040C0000-0x00000000040C1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1964-62-0x00000000003E0000-0x00000000003E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2236-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2236-63-0x000000007368D000-0x0000000073698000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/2236-2-0x000000007368D000-0x0000000073698000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/2236-1-0x0000000000570000-0x0000000000571000-memory.dmp

                  Filesize

                  4KB

                  Download