Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 01:53
Static task
static1
Behavioral task
behavioral1
Sample
c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c5c6c2ca40239d1546571d3bf9c0f8c00786d5a3ea23c185ab3fccd65001303b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Biomolecule/Shopmaid.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Biomolecule/Shopmaid.ps1
Resource
win10v2004-20240226-en
General
-
Target
Biomolecule/Shopmaid.ps1
-
Size
61KB
-
MD5
d003bc3b0862bfceec3a0869b7872b8a
-
SHA1
477a3475ffe393390c6faf530887d0d162662feb
-
SHA256
994c3a38ec25e17024e4260571b946d006aac11fcceb754bc68e18d13c394b51
-
SHA512
ae2a0a61e7d03afd55ede91c0712d89fa9b4504ac9b5db23a7e5f30d8a1fb226e71e9c6383bd1ec55b15cef61e952124b44f77cafd74aa5af4db6d7a92dab88a
-
SSDEEP
1536:tMfur/H2ttlMwEcdJwK7OqcgwwO+5DPMEi18:Q8f2BMojUqXNAh8
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3048 powershell.exe 3048 powershell.exe 3048 powershell.exe 3048 powershell.exe 3048 powershell.exe 3048 powershell.exe 3048 powershell.exe 3048 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2700 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 3048 powershell.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe Token: SeShutdownPrivilege 2700 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2132 3048 powershell.exe 29 PID 3048 wrote to memory of 2132 3048 powershell.exe 29 PID 3048 wrote to memory of 2132 3048 powershell.exe 29 PID 3048 wrote to memory of 2576 3048 powershell.exe 31 PID 3048 wrote to memory of 2576 3048 powershell.exe 31 PID 3048 wrote to memory of 2576 3048 powershell.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Biomolecule\Shopmaid.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2132
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "3048" "1140"2⤵PID:2576
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD524ab25c722b87ed520b65583f8bd56ac
SHA114914773aa9a9a35e5f2ce6cf1df676c20fc97f9
SHA25639a667bbc4c45d24a618b640d9a63cc3e0844f8678784ddde013eba3c2f628e8
SHA512408bc8bb1ab1f1fe57ba4e336ac0a4845e3052e42e4e8f05d7dadc34a6ad641466ed399f112bef678e092bb1ee94aa5c108d9efe73cdd57b61151636c74415c8