Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18/04/2024, 15:36
Static task
static1
Behavioral task
behavioral1
Sample
Спецификация контракта Казахстан – Российская Федерация.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Спецификация контракта Казахстан – Российская Федерация.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Fellator/Paletter/Lowbyte/Avanceringen157/Rekrt.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fellator/Paletter/Lowbyte/Avanceringen157/Rekrt.ps1
Resource
win10v2004-20240412-en
General
-
Target
Fellator/Paletter/Lowbyte/Avanceringen157/Rekrt.ps1
-
Size
56KB
-
MD5
2354362f1cb0a39baef7da6969832048
-
SHA1
ed2a3597370eea69ea017af285c99d1b60556a0c
-
SHA256
f5129323c012e960d4b1a619a95757cc81675275e4c795883004c54da5ed3bb2
-
SHA512
a09dbc69627bd42180fe9cf8fc7234798e30296de3a2b35a0c071e7507d9a63a5dc3f0873183a8bd93e929e05ea5d647323cf2905f4550cfb8cc5ee07353999a
-
SSDEEP
1536:cNNoZXAoFiKJ3QQkAZAheVVkK95OhXOEFcKNmRAbUmptcI:cNWZJU+Y6MOVvWUKNsA4mgI
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2984 powershell.exe 2984 powershell.exe 2984 powershell.exe 2984 powershell.exe 2984 powershell.exe 2984 powershell.exe 2984 powershell.exe 2984 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2628 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2984 powershell.exe Token: SeShutdownPrivilege 2628 explorer.exe Token: SeShutdownPrivilege 2628 explorer.exe Token: SeShutdownPrivilege 2628 explorer.exe Token: SeShutdownPrivilege 2628 explorer.exe Token: SeShutdownPrivilege 2628 explorer.exe Token: SeShutdownPrivilege 2628 explorer.exe Token: SeShutdownPrivilege 2628 explorer.exe Token: SeShutdownPrivilege 2628 explorer.exe Token: SeShutdownPrivilege 2628 explorer.exe Token: SeShutdownPrivilege 2628 explorer.exe Token: SeShutdownPrivilege 2628 explorer.exe Token: SeShutdownPrivilege 2628 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe 2628 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2232 2984 powershell.exe 29 PID 2984 wrote to memory of 2232 2984 powershell.exe 29 PID 2984 wrote to memory of 2232 2984 powershell.exe 29 PID 2984 wrote to memory of 2636 2984 powershell.exe 31 PID 2984 wrote to memory of 2636 2984 powershell.exe 31 PID 2984 wrote to memory of 2636 2984 powershell.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Fellator\Paletter\Lowbyte\Avanceringen157\Rekrt.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2232
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2984" "1084"2⤵PID:2636
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51a7052f913ba4fc86c0e0ab48fe35934
SHA13bce6b9e16620dd05dccc3ea0ff26d89659439c0
SHA256ce227917ca38320e34b8b1900586521770efedf052883d4beedbed62f7ac76d9
SHA51230f1b2fa9d0b73f795c693d0dca61d1324d220b366f756fe120f4d283c1892e63b422cd6578d2ad63338df3663d84bf62f9305a574f7dcbbc99ef583c5baa180