Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

7

Windows Lo...er.exe

windows7-x64

Windows Lo...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    201s
  • max time network
    202s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 09:16

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Windows Loader/Windows Loader.exe

  • Size

    3.8MB

  • MD5

    3976bd5fcbb7cd13f0c12bb69afc2adc

  • SHA1

    3b6bdca414a53df7c8c5096b953c4df87a1091c7

  • SHA256

    bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40

  • SHA512

    0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341

  • SSDEEP

    49152:wEYCFEfn+4NWcNKg/ngk4mY0bI1Wymfgvn81yJffTpuWV355FXw/+cuWV355FXwm:wEYz38cgg/ngk4mYfA7fgvn812nv

Score
8/10
discoveryexploitupx

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Loader\Windows Loader.exe"
    1⤵
    • Checks BIOS information in registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c takeown /f C:\ldrscan\bootwin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\ldrscan\bootwin
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1604
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1912
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c takeown /f C:\ldrscan\bootwin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\ldrscan\bootwin
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:748
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1940
    • C:\Windows\system32\cmd.exe
      cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\System32\cscript.exe
        C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
        3⤵
          PID:2192
      • C:\Windows\system32\cmd.exe
        cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Windows\System32\cscript.exe
          C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
          3⤵
            PID:2356
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /A /C "compact /u \\?\Volume{66810243-d100-11ee-bac6-806e6f6e6963}\PSGEN"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\SysWOW64\compact.exe
            compact /u \\?\Volume{66810243-d100-11ee-bac6-806e6f6e6963}\PSGEN
            3⤵
              PID:2596
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
            2⤵
              PID:2552
              • C:\bootsect.exe
                C:\bootsect.exe /nt60 SYS /force
                3⤵
                • Executes dropped EXE
                PID:2412
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /A /C "shutdown -r -t 0"
              2⤵
                PID:1188
                • C:\Windows\SysWOW64\shutdown.exe
                  shutdown -r -t 0
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1284
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x0
              1⤵
                PID:2736
              • C:\Windows\system32\AUDIODG.EXE
                C:\Windows\system32\AUDIODG.EXE 0x508
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2768
              • C:\Windows\system32\LogonUI.exe
                "LogonUI.exe" /flags:0x1
                1⤵
                  PID:344

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Acer.XRM-MS
                  Filesize

                  2KB

                  MD5

                  f25832af6a684360950dbb15589de34a

                  SHA1

                  17ff1d21005c1695ae3dcbdc3435017c895fff5d

                  SHA256

                  266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

                  SHA512

                  e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

                  Download Submit

                • C:\bootsect.exe
                  Filesize

                  95KB

                  MD5

                  fe2479b482c0dcd5c432ad8da69e9214

                  SHA1

                  83549515da272e2318e0e518d1108dc90cd0b3fb

                  SHA256

                  ea86855bb1a7c8155e69322362ce98f1953988b0d9693b86b5eb55409c1a99af

                  SHA512

                  d6166a00779d14d32673a36f437685178e1578fe3f902ff734979ca2a987a8b10ede472a8117300cf9fc94609920a158f1b49d60fd89f9872844c86b1fb3ec13

                  Download Submit

                • \??\Volume{66810243-d100-11ee-bac6-806e6f6e6963}\PSGEN
                  Filesize

                  334KB

                  MD5

                  c720309d465b5d80c41ab96da9625922

                  SHA1

                  bee85436de4292d415e40c900e8216b07d59264b

                  SHA256

                  0c0b54dba811504b6b18e3c2164acf001b40801f0b8a6f357ac119c94bbd8829

                  SHA512

                  c224e872a7cc056e89865407bc94db040b80af8bb17dbb5b4c723ca51f30beb17bc4f97a658be65e1cdc4d4fc581fa49b6e79feebd981c15acba4b8d7c5b931b

                  Download Submit

                • memory/2676-22-0x0000000010000000-0x0000000010021000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/2676-64-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/2676-54-0x00000000003E0000-0x0000000000400000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/2676-46-0x00000000003D0000-0x00000000003E0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2676-30-0x00000000003B0000-0x00000000003C1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/2676-0-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/2676-9-0x0000000000360000-0x0000000000370000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2676-62-0x0000000002490000-0x000000000262A000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/2676-65-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/2676-66-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/2676-67-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/2676-38-0x0000000000390000-0x00000000003A0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2676-14-0x0000000000370000-0x0000000000382000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2676-1-0x0000000000340000-0x0000000000353000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/2676-97-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download