Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/05/2024, 09:02

General

  • Target

    Illegal_Services.exe

  • Size

    359KB

  • MD5

    68e70fa02384a9eff59ff17bb0e91324

  • SHA1

    227d831ccc3555aeffc12676bb508cee927ec0a3

  • SHA256

    e7799c84e19f5c625c589ca36c9c44d8018e2207843ddebafdbd44fae96d6458

  • SHA512

    edceadde1941f9cf2035ec0d2e33135cbf85cdbfbebc11c419d76ed749fc7fad9b223dd6d4835b7fb8d30fb82fb7278dba3ca7a147757d28acff94f812b488f6

  • SSDEEP

    6144:hFJp+EPA9emp6QSA8Fmv+/Gtv4Xk9Nb1k/aqLaCDoU7aOPQmMnps:hAGA9emsFm2/GJ317CDfPzMnW

Score
1/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Illegal_Services.exe
    "C:\Users\Admin\AppData\Local\Temp\Illegal_Services.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0RYA6NKT.bat" "C:\Users\Admin\AppData\Local\Temp\Illegal_Services.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1196
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c forfiles /m "Illegal_Services.exe" /c "cmd /c echo 0x1B"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\system32\forfiles.exe
            forfiles /m "Illegal_Services.exe" /c "cmd /c echo 0x1B"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:940
            • C:\Windows\system32\cmd.exe
              /c echo 
              5⤵
                PID:2820
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2140
            • C:\Windows\system32\reg.exe
              reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
              4⤵
                PID:1448
            • C:\Windows\system32\reg.exe
              reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
              3⤵
                PID:1696
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language" /v "InstallLanguage"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1072
                • C:\Windows\system32\reg.exe
                  reg query "HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language" /v "InstallLanguage"
                  4⤵
                    PID:544
                • C:\Windows\system32\reg.exe
                  reg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language" /t REG_SZ /d EN /f
                  3⤵
                    PID:1680
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1740
                    • C:\Windows\system32\reg.exe
                      reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"
                      4⤵
                        PID:2544
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ver
                      3⤵
                        PID:2292
                      • C:\Windows\system32\cscript.exe
                        cscript //nologo "\msgbox.vbs" "ERROR: Your Windows version is not compatible with Illegal Services. You need Windows 10 or 11 (x86/x64)." 69648 "Illegal Services"
                        3⤵
                          PID:2556

                    Network

                    MITRE ATT&CK Matrix

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\0RYA6NKT.bat

                      Filesize

                      232KB

                      MD5

                      802d62f2b35fb65c68efdda6026415d9

                      SHA1

                      eef7e127e1c79bb992f3cd9f7486dcb334753734

                      SHA256

                      816e0bc15faf4ce9d21bd3ba9ad7111a5712a92306b9ceb7b5030dcecd190a87

                      SHA512

                      826384d24741bcc00cbb699eba8395f6fe566ff6feefe4799fc40ede3f8378078212c96fb7e0a7afab32ddbf088e3e8e0f1c1092007ff4efe1c292bc3514f28b

                    • C:\msgbox.vbs

                      Filesize

                      71B

                      MD5

                      6c6e2168a536621c599ace56e5f969c5

                      SHA1

                      14487a87c7d8f3e637c83e7e5a7c870ffead82ee

                      SHA256

                      eb63813c371cd0c347e25c428de0bf4c05cd1feb6915c4f5e3e0c044c68ceb8f

                      SHA512

                      dd9734ca03736eb963e62042cda1a1d659edd7e2886e0f6b0066adb88560c0d4c1e9b78d916b8f65eeac535376e2f7474bf8ce05a388540a9b754c48a42b1044

                    • memory/624-4-0x0000000000400000-0x0000000000463000-memory.dmp

                      Filesize

                      396KB