Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/05/2024, 16:24

General

  • Target

    SecuriteInfo.com.Win64.PWSX-gen.17352.exe

  • Size

    739KB

  • MD5

    120f43da8f3b2b7f24d2b509d197a885

  • SHA1

    bb27a97f1c6e012b470e5035821bdad604037267

  • SHA256

    ebe535e02ec19a129be4434bfa18f1fceed895db2befd06ec711594f44481990

  • SHA512

    66bc3a9c4b4e115bbd9df2f6b0c8eef539e0cb2bc36042785dacbb24b0dccd6b66c00e647a71e8c8a9e5c2913b17f1527b689afb77a305d48164745f74457f7b

  • SSDEEP

    12288:c5lgDBfevt7xVz/0yM5XxNfLG4KDGEoZ/ifs76cFaaxS3/KTX9xnOEp:eKDBfevlfz/0yMrNfa4WLVcw2S3sTTp

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.17352.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.17352.exe"
      2⤵
      • UAC bypass
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.17352.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
        3⤵
          PID:2648
        • C:\Windows\System32\notepad.exe
          "C:\Windows\System32\notepad.exe"
          3⤵
            PID:2568
          • C:\Windows\System32\calc.exe
            "C:\Windows\System32\calc.exe"
            3⤵
              PID:2872
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
              3⤵
                PID:3056
              • C:\Windows\System32\svchost.exe
                "C:\Windows\System32\svchost.exe"
                3⤵
                  PID:2616
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  3⤵
                    PID:2492
                  • C:\Program Files (x86)\Windows Mail\wab.exe
                    "C:\Program Files (x86)\Windows Mail\wab.exe"
                    3⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    PID:2456
                  • C:\Program Files (x86)\Windows Mail\wab.exe
                    "C:\Program Files (x86)\Windows Mail\wab.exe"
                    3⤵
                      PID:3060
                  • C:\Windows\SysWOW64\dllhost.exe
                    "C:\Windows\SysWOW64\dllhost.exe"
                    2⤵
                    • Adds policy Run key to start application
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    PID:1620

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/756-38-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/756-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

                  Filesize

                  4KB

                • memory/756-2-0x000000001ACB0000-0x000000001ACD4000-memory.dmp

                  Filesize

                  144KB

                • memory/756-3-0x000000001B100000-0x000000001B19C000-memory.dmp

                  Filesize

                  624KB

                • memory/756-4-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/756-1-0x0000000001130000-0x0000000001154000-memory.dmp

                  Filesize

                  144KB

                • memory/1620-41-0x00000000000D0000-0x000000000010E000-memory.dmp

                  Filesize

                  248KB

                • memory/1620-40-0x00000000000D0000-0x000000000010E000-memory.dmp

                  Filesize

                  248KB

                • memory/2072-15-0x0000000002290000-0x0000000002298000-memory.dmp

                  Filesize

                  32KB

                • memory/2072-10-0x000000001B780000-0x000000001BA62000-memory.dmp

                  Filesize

                  2.9MB

                • memory/2072-9-0x0000000002A50000-0x0000000002AD0000-memory.dmp

                  Filesize

                  512KB

                • memory/2456-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                  Filesize

                  4KB

                • memory/2456-37-0x0000000000400000-0x0000000000442000-memory.dmp

                  Filesize

                  264KB

                • memory/2456-39-0x0000000000400000-0x0000000000442000-memory.dmp

                  Filesize

                  264KB

                • memory/2568-13-0x0000000000400000-0x0000000000442000-memory.dmp

                  Filesize

                  264KB

                • memory/2568-11-0x0000000000400000-0x0000000000442000-memory.dmp

                  Filesize

                  264KB