Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 21:31
Static task
static1
Behavioral task
behavioral1
Sample
b83cd525bb6fe770822ce513e7a4b398.jad
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b83cd525bb6fe770822ce513e7a4b398.jad
Resource
win10v2004-20240226-en
General
-
Target
b83cd525bb6fe770822ce513e7a4b398.jad
-
Size
68KB
-
MD5
b83cd525bb6fe770822ce513e7a4b398
-
SHA1
c2b71b787477102370280680a089157ebc450ad2
-
SHA256
54b06c035e22e4c4cc2f828acfc99ed138e147b3384e31f4283ee62361d5b561
-
SHA512
858a7f72b887a742bb9e0746058463683292db6e1459541cd049bffa89802fa36e16958c55441c8d47df0e1a6da85f132fc31b51e6c6caa92c418e1d38f4bc25
-
SSDEEP
1536:EjUcFC+MEcfwy7GtW2insgvrGoZNGtW2insgvrGoZb:EjUctox7ZsArG8ZsArGI
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.jad rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2444 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2444 AcroRd32.exe 2444 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2640 2756 cmd.exe 29 PID 2756 wrote to memory of 2640 2756 cmd.exe 29 PID 2756 wrote to memory of 2640 2756 cmd.exe 29 PID 2640 wrote to memory of 2444 2640 rundll32.exe 30 PID 2640 wrote to memory of 2444 2640 rundll32.exe 30 PID 2640 wrote to memory of 2444 2640 rundll32.exe 30 PID 2640 wrote to memory of 2444 2640 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\b83cd525bb6fe770822ce513e7a4b398.jad1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\b83cd525bb6fe770822ce513e7a4b398.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\b83cd525bb6fe770822ce513e7a4b398.jad"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD567461ce3e2defc8d4df95ad8960ea081
SHA1f021a9e7dbc48e54d91946146ce547aaf4c0d620
SHA2561daa25b31fc500ac24612cb6d599c21a3ee8b5b93cd76c1394ac28c5f779df39
SHA51257c347d81a4c273853ed2a4bde8b34a0e70b38e3886c3e1b62d08a58ea7f0c18ccdc9a818703f1e19407068dcfff4987987adccdb9b6bbe48349426ee3cf1aee