Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
96s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/04/2024, 15:26
Static task
static1
Behavioral task
behavioral1
Sample
Airi Shimeji.zip
Resource
win11-20240412-en
General
-
Target
Airi Shimeji.zip
-
Size
2.6MB
-
MD5
f16082be399df23dd0120e87fb9510d3
-
SHA1
eab684c7727be97717fe8fb5e6c1e20bd2798bd4
-
SHA256
917b98d51a386759f2904a359b362c2350f84d8b5fe4bd8b521ea35b09593f06
-
SHA512
5095d440e98d63ba45e626c0461c5433f57a12dfb8899d57164244fce16e955353fc619f69ef5484cbda3f2a994b6c2ca6a765a76da7ae8022e08a5f06a36d9a
-
SSDEEP
49152:XgjWK3cbW/BBmE7CbIGqSDkgAj+ncuEfBAuw2zYYuFRtm+ZHKag/yDZ:QjnMiBBNukz7n+ncu2qu1ERA+Zqag6DZ
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2736 java.exe 3700 java.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4244 icacls.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe -
Drops file in Program Files directory 24 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb java.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2256 PowerShell.exe 2256 PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2256 PowerShell.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2736 java.exe 2736 java.exe 2736 java.exe 3700 java.exe 3700 java.exe 3700 java.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2736 java.exe 2736 java.exe 2736 java.exe 3700 java.exe 3700 java.exe 3700 java.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2736 java.exe 2736 java.exe 3700 java.exe 3700 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2736 2256 PowerShell.exe 86 PID 2256 wrote to memory of 2736 2256 PowerShell.exe 86 PID 2736 wrote to memory of 4244 2736 java.exe 87 PID 2736 wrote to memory of 4244 2736 java.exe 87 PID 2912 wrote to memory of 3700 2912 cmd.exe 93 PID 2912 wrote to memory of 3700 2912 cmd.exe 93
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Airi Shimeji.zip"1⤵PID:388
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4532
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Desktop\Airi Shimeji'1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -jar .\Shimeji-ee.jar2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:4244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar Shimeji-ee.jar2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD531c050976cc9341185bb917cedb7da92
SHA17aa552be3f89b07ab86c56a9814dcd31b63e3d88
SHA2561a6f08dde6b826cd37f42fa340eb311e73ccaa37c55fe38cbb898e60f69f20dc
SHA5129449d989a40b682ba47b774d5951ecbdd8716ed55686488c84c431ab73ab75ce5d0b773b967df32d682bbe4a93bd2360fa7aa82bdd75f3ff61f5bb21f7b14c1a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
25KB
MD509218ed8a31db96b07558811c5a585fb
SHA130932214f3ed72ddccb6a8a5894cc1ddf28a371b
SHA256317dfe7dbdc715c07b95a297146518eea7c8eef9084943e3aab23059c12da18f
SHA512e1b1658866f7869fbc15314cda23d4642fc725e839ee833be66f952b89fca4cadbee0d87c824c7950e029fd5b4d85fcc0e7f33d9f6f3148cd29674a70c6b016e
-
Filesize
169KB
MD5e614dd8601e2f7df64bd226c1f58f965
SHA1b33b81f6b7d1c4924fd6cb5208621a89df79f54e
SHA256d984e47e0cadf4a48d7a857b387e3dacee20232b900a21ee3fce8d51b9fe6cd2
SHA5125288f386913a560fd4fe8cbc2c3252366c2651cf9a52ec3c9c8b2415d533a399cf0fa162ffd8e8133db6593c66afb9a50f427df30278e9dd29d2c1c91bc439f4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-801878912-692986033-442676226-1000\83aa4cc77f591dfc2374580bbd95f6ba_20b07406-8e6f-45df-9efd-1cf7b8a931bf
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd