Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/04/2024, 03:08
Behavioral task
behavioral1
Sample
z84jxn2.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
z84jxn2.rar
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
z842jxn2/z872jxn2.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
z842jxn2/z872jxn2.exe
Resource
win10v2004-20240412-en
General
-
Target
z84jxn2.rar
-
Size
39KB
-
MD5
9ca6caaa1fcda89d59529f1e09dc3b4c
-
SHA1
1106f781d017d1b6c1369c600f2a8aba1239fac4
-
SHA256
b01bb940254688c9ff0f2f7e0acc73ac7aa6c0e01c80f9417524cf7150edadfa
-
SHA512
d58b1444253c1cde779e2a5dad7f33d19a940560f1a1935eebd8c85797126d55022cccf141ac75c3b286b194017261a308309693ccaf31efb4a39f2e7d7520e0
-
SSDEEP
768:CtyYxjiWinegBxVUo0OXUoSy8UzNvsOajJT0VCmZ1jn5i4nWBIRxQ/:CtyyjfiN5Uo0ATSyzRsO8WVH1wIO/
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2660 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2660 7zFM.exe Token: 35 2660 7zFM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2660 7zFM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1300 wrote to memory of 2660 1300 cmd.exe 29 PID 1300 wrote to memory of 2660 1300 cmd.exe 29 PID 1300 wrote to memory of 2660 1300 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\z84jxn2.rar1⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\z84jxn2.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2660
-