Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
537s -
max time network
492s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 11:02
Static task
static1
Behavioral task
behavioral1
Sample
ah.zip
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ah.zip
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
ForceCPU.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
ForceCPU.exe
Resource
win10-20240404-en
General
-
Target
ah.zip
-
Size
7.0MB
-
MD5
777c025958c2dd332ae1163092305f54
-
SHA1
ec016614bbbe6e88dc4e58e26a9d88bf4d1a3a64
-
SHA256
36a00c545e5fdbd5712eb468099a211dccf17812a0cb08efde9d3ddce7181c5e
-
SHA512
7ab95cde168fa9e866d7841729cfd4a51b3b1406cf1c808271297f7875309541fec7e0d5d7f7e0a76c7b5e0ce5e795321dfcb729208283ecd311dc0563bb920f
-
SSDEEP
196608:Z8oDmWKq7cLCueSB4lE71V/YxQtw44B2yZIgrgI:6n+SWW2Otw4hyuWH
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1184 client32.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1636 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: 33 2024 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2024 AUDIODG.EXE Token: 33 2024 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2024 AUDIODG.EXE Token: SeSecurityPrivilege 2976 client32.exe Token: SeDebugPrivilege 1636 taskmgr.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 2976 client32.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe -
Suspicious use of SendNotifyMessage 41 IoCs
pid Process 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe 1636 taskmgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2892 wrote to memory of 532 2892 cmd.exe 59 PID 2892 wrote to memory of 532 2892 cmd.exe 59 PID 2892 wrote to memory of 532 2892 cmd.exe 59 PID 264 wrote to memory of 1184 264 cmd.exe 62 PID 264 wrote to memory of 1184 264 cmd.exe 62 PID 264 wrote to memory of 1184 264 cmd.exe 62 PID 264 wrote to memory of 1184 264 cmd.exe 62
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ah.zip1⤵PID:1736
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:112
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
C:\Users\Admin\Documents\ah\client32.exe"C:\Users\Admin\Documents\ah\client32.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2976
-
C:\Users\Admin\Documents\ah\client32.exe"C:\Users\Admin\Documents\ah\client32.exe"1⤵PID:1052
-
C:\Users\Admin\Documents\ah\client32.exe"C:\Users\Admin\Documents\ah\client32.exe"1⤵PID:1672
-
C:\Users\Admin\Documents\ah\ForceCPU.exe"C:\Users\Admin\Documents\ah\ForceCPU.exe"1⤵PID:1328
-
C:\Users\Admin\Documents\ah\client32.exe"C:\Users\Admin\Documents\ah\client32.exe"1⤵PID:1796
-
C:\Users\Admin\Documents\ah\client32.exe"C:\Users\Admin\Documents\ah\client32.exe"1⤵PID:2404
-
C:\Users\Admin\Documents\ah\client32.exe"C:\Users\Admin\Documents\ah\client32.exe"1⤵PID:2612
-
C:\Users\Admin\Documents\ah\client32.exe"C:\Users\Admin\Documents\ah\client32.exe"1⤵PID:2812
-
C:\Users\Admin\Documents\ah\client32.exe"C:\Users\Admin\Documents\ah\client32.exe"1⤵PID:1820
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\ah\concrt140.dll1⤵PID:2564
-
C:\Users\Admin\Documents\ah\ForceCPU.exe"C:\Users\Admin\Documents\ah\ForceCPU.exe"1⤵PID:1324
-
C:\Users\Admin\Documents\ah\ForceCPU.exe"C:\Users\Admin\Documents\ah\ForceCPU.exe"1⤵PID:2080
-
C:\Windows\system32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Admin\Documents\ah"1⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\Documents\ah\ForceCPU.exeForceCPU.exe2⤵PID:532
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Admin\Documents\ah"1⤵
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Users\Admin\Documents\ah\client32.execlient32.exe2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1184
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636