Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 12:48
Static task
static1
Behavioral task
behavioral1
Sample
8e9fea5458c969eaf662771d87e2e9d2487e904e5dbeea5d90fc7e44369c3f95.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8e9fea5458c969eaf662771d87e2e9d2487e904e5dbeea5d90fc7e44369c3f95.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Paleolimnology/ansgningsfristernes/Dishonorables/Sweety64.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Paleolimnology/ansgningsfristernes/Dishonorables/Sweety64.ps1
Resource
win10v2004-20240226-en
General
-
Target
Paleolimnology/ansgningsfristernes/Dishonorables/Sweety64.ps1
-
Size
61KB
-
MD5
e5c2dca2119f3e664238f0f51539dbb5
-
SHA1
24fc5d8ac634d19acafbf78852482014c052f996
-
SHA256
b3f8b29f9da552c657a02fbadad0745e365ea1d548fe22ddbfb3e9450eb29837
-
SHA512
458178c3e2f344a9f28a505c870667d5f3387c7cdd0b6cde22ff428e460b2d433f2653b7516fc5698837e41a635e31f2f59564a33631e938b0801749c6f7b7a6
-
SSDEEP
1536:wOnRUJt1Yo/oPn0xI1lp85xiLpcdL/mJf7RUw++4:eJt1Yoh+zgwpKKJdb4
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 628 powershell.exe 628 powershell.exe 628 powershell.exe 628 powershell.exe 628 powershell.exe 628 powershell.exe 628 powershell.exe 628 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2744 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 628 powershell.exe Token: SeShutdownPrivilege 2744 explorer.exe Token: SeShutdownPrivilege 2744 explorer.exe Token: SeShutdownPrivilege 2744 explorer.exe Token: SeShutdownPrivilege 2744 explorer.exe Token: SeShutdownPrivilege 2744 explorer.exe Token: SeShutdownPrivilege 2744 explorer.exe Token: SeShutdownPrivilege 2744 explorer.exe Token: SeShutdownPrivilege 2744 explorer.exe Token: SeShutdownPrivilege 2744 explorer.exe Token: SeShutdownPrivilege 2744 explorer.exe Token: SeShutdownPrivilege 2744 explorer.exe Token: SeShutdownPrivilege 2744 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 628 wrote to memory of 2520 628 powershell.exe 29 PID 628 wrote to memory of 2520 628 powershell.exe 29 PID 628 wrote to memory of 2520 628 powershell.exe 29 PID 628 wrote to memory of 2720 628 powershell.exe 31 PID 628 wrote to memory of 2720 628 powershell.exe 31 PID 628 wrote to memory of 2720 628 powershell.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Paleolimnology\ansgningsfristernes\Dishonorables\Sweety64.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2520
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "628" "1128"2⤵PID:2720
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f511740521e76718dd4a885b29334960
SHA15472c68211484020bb4a75e6000dedfcee81be99
SHA25619f5c921ae445d5452253d0f41c75a2664ef6eaf4ba6c6488f24afd49253cc1f
SHA51244eb9b646fc8d2db958642c7fa8c1f8c0ca7b33463e05cded276dc795208feff61777b88e69648782b38fc446f61fb30bf67b6c8b1c9646a63202a1a2bd2bf53