Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
3Evon.zip
windows7-x64
1Evon.zip
windows10-2004-x64
1Evon.exe
windows7-x64
1Evon.exe
windows10-2004-x64
1Launcher.bat
windows7-x64
1Launcher.bat
windows10-2004-x64
6README.txt
windows7-x64
1README.txt
windows10-2004-x64
1config
windows7-x64
1config
windows10-2004-x64
1lua51.dll
windows7-x64
3lua51.dll
windows10-2004-x64
3Analysis
-
max time kernel
1608s -
max time network
1551s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 06:25
Static task
static1
Behavioral task
behavioral1
Sample
Evon.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Evon.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Evon.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Evon.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Launcher.bat
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Launcher.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
README.txt
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
README.txt
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
config
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
config
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
lua51.dll
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
lua51.dll
Resource
win10v2004-20240226-en
General
-
Target
README.txt
-
Size
410B
-
MD5
5470c1484d7547c70fcddacb19bcb823
-
SHA1
4156ae61439baa7149fe88c69794cba6edea862d
-
SHA256
fa7263d3a001a80914e3b9790de7b9dbb216d39436d222304a97aded0f5d5842
-
SHA512
0c4a19627523545ff096576b02531b791e7505fbed522bcb6fe3beb1a1167a94b7feee7ba9bea141039ec762e308a43eeff8e0f8c4145397f2ebd016c6309652
Malware Config
Signatures
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1048 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 4832 svchost.exe
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\README.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1048
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4536
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4832