Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 16:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
FACTURAS PENDIENTES.exe
Resource
win7-20240221-en
7 signatures
150 seconds
General
-
Target
FACTURAS PENDIENTES.exe
-
Size
736KB
-
MD5
be5049954ae1360c7c73edc98c252948
-
SHA1
347c475c80875dec8a84f6fbb70309e73f6c6036
-
SHA256
912444aec56fd47f95d449249675e51f2b07da90934d486c0d91e148cec71567
-
SHA512
8151efe7a2cbc5af735bd19eae31398ffae0fa19d97991903005c2d0d39e112285c4ea1ccc336429d293a29716d5df38439a1f43caac8f9d4f8fc9991acb89f1
-
SSDEEP
12288:SydzjtuEA9MsXWyiXiP9tyy2mFYauVJhsM4DZ264KuinZ5F0y65u:SydzB+7XxiXYt12mFYauVjcF2KtnZINw
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FACTURAS PENDIENTES.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FACTURAS PENDIENTES.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FACTURAS PENDIENTES.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2320 FACTURAS PENDIENTES.exe 3036 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2320 FACTURAS PENDIENTES.exe Token: SeDebugPrivilege 3036 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2320 wrote to memory of 3036 2320 FACTURAS PENDIENTES.exe 29 PID 2320 wrote to memory of 3036 2320 FACTURAS PENDIENTES.exe 29 PID 2320 wrote to memory of 3036 2320 FACTURAS PENDIENTES.exe 29 PID 2320 wrote to memory of 2584 2320 FACTURAS PENDIENTES.exe 31 PID 2320 wrote to memory of 2584 2320 FACTURAS PENDIENTES.exe 31 PID 2320 wrote to memory of 2584 2320 FACTURAS PENDIENTES.exe 31 PID 2320 wrote to memory of 2584 2320 FACTURAS PENDIENTES.exe 31 PID 2320 wrote to memory of 2584 2320 FACTURAS PENDIENTES.exe 31 PID 2320 wrote to memory of 2584 2320 FACTURAS PENDIENTES.exe 31 PID 2320 wrote to memory of 2584 2320 FACTURAS PENDIENTES.exe 31 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FACTURAS PENDIENTES.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURAS PENDIENTES.exe"C:\Users\Admin\AppData\Local\Temp\FACTURAS PENDIENTES.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FACTURAS PENDIENTES.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵PID:2584
-