Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 02:23
Static task
static1
Behavioral task
behavioral1
Sample
69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
69ba83fdc3bdef1eeb01835286651ef246968efd1d34c318afa0d3b6f8387923.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Malemutes/Nonprecedent.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Malemutes/Nonprecedent.ps1
Resource
win10v2004-20240226-en
General
-
Target
Malemutes/Nonprecedent.ps1
-
Size
52KB
-
MD5
d70cc7a86c607e5511048fe2b3242bf9
-
SHA1
7533500bfb680dc5fcea3e37fd2eca0385990376
-
SHA256
9be2c4093ac767d9ec1aa035a7a8139fac9347068f303e1ef583b4d1f8dedd2b
-
SHA512
05052e82d38f94ff7eb6ed89a7fd9041c20d03eba7d6d193c3fe85c628605c70fa8cb2dbb1e44ee721c8143bbcb6e5caf72c24acb134628d967e757b18d158ff
-
SSDEEP
768:U2QEBkOK0lDYsewm+sJ1IpcWeTsoacVjEiaiEpacvbFDchyck95ipSDqgSVP:H+0lDYqZsbwxrcVjWircjkzk95ip7P
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2228 powershell.exe 2228 powershell.exe 2228 powershell.exe 2228 powershell.exe 2228 powershell.exe 2228 powershell.exe 2228 powershell.exe 2228 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2708 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2228 powershell.exe Token: SeShutdownPrivilege 2708 explorer.exe Token: SeShutdownPrivilege 2708 explorer.exe Token: SeShutdownPrivilege 2708 explorer.exe Token: SeShutdownPrivilege 2708 explorer.exe Token: SeShutdownPrivilege 2708 explorer.exe Token: SeShutdownPrivilege 2708 explorer.exe Token: SeShutdownPrivilege 2708 explorer.exe Token: SeShutdownPrivilege 2708 explorer.exe Token: SeShutdownPrivilege 2708 explorer.exe Token: SeShutdownPrivilege 2708 explorer.exe Token: SeShutdownPrivilege 2708 explorer.exe Token: SeShutdownPrivilege 2708 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe 2708 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2920 2228 powershell.exe 29 PID 2228 wrote to memory of 2920 2228 powershell.exe 29 PID 2228 wrote to memory of 2920 2228 powershell.exe 29 PID 2228 wrote to memory of 2568 2228 powershell.exe 31 PID 2228 wrote to memory of 2568 2228 powershell.exe 31 PID 2228 wrote to memory of 2568 2228 powershell.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Malemutes\Nonprecedent.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2920
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2228" "1124"2⤵PID:2568
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c7dd07456dfb255b776c93e585ebc226
SHA119d94f641b43705585180ad4f3e4dfa651af2773
SHA2563c653069449c30357fb5e1565cb33379f17678762d0508cd0dbbda52b365abfd
SHA512615a5b573ffb8cf04ed9114154feaaf810263b60356179ffeda4fd4e7e47fe18a621198ea12ac3e36b564e21e09197960a9f80803682b7624f73d94c3f2dae48