Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 09:02
Static task
static1
Behavioral task
behavioral1
Sample
Illegal_Services.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Illegal_Services.exe
Resource
win10v2004-20240426-en
General
-
Target
Illegal_Services.exe
-
Size
359KB
-
MD5
68e70fa02384a9eff59ff17bb0e91324
-
SHA1
227d831ccc3555aeffc12676bb508cee927ec0a3
-
SHA256
e7799c84e19f5c625c589ca36c9c44d8018e2207843ddebafdbd44fae96d6458
-
SHA512
edceadde1941f9cf2035ec0d2e33135cbf85cdbfbebc11c419d76ed749fc7fad9b223dd6d4835b7fb8d30fb82fb7278dba3ca7a147757d28acff94f812b488f6
-
SSDEEP
6144:hFJp+EPA9emp6QSA8Fmv+/Gtv4Xk9Nb1k/aqLaCDoU7aOPQmMnps:hAGA9emsFm2/GJ317CDfPzMnW
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 624 wrote to memory of 2368 624 Illegal_Services.exe 29 PID 624 wrote to memory of 2368 624 Illegal_Services.exe 29 PID 624 wrote to memory of 2368 624 Illegal_Services.exe 29 PID 624 wrote to memory of 2368 624 Illegal_Services.exe 29 PID 2368 wrote to memory of 1196 2368 cmd.exe 30 PID 2368 wrote to memory of 1196 2368 cmd.exe 30 PID 2368 wrote to memory of 1196 2368 cmd.exe 30 PID 2368 wrote to memory of 2224 2368 cmd.exe 31 PID 2368 wrote to memory of 2224 2368 cmd.exe 31 PID 2368 wrote to memory of 2224 2368 cmd.exe 31 PID 2224 wrote to memory of 940 2224 cmd.exe 32 PID 2224 wrote to memory of 940 2224 cmd.exe 32 PID 2224 wrote to memory of 940 2224 cmd.exe 32 PID 940 wrote to memory of 2820 940 forfiles.exe 33 PID 940 wrote to memory of 2820 940 forfiles.exe 33 PID 940 wrote to memory of 2820 940 forfiles.exe 33 PID 2368 wrote to memory of 2140 2368 cmd.exe 34 PID 2368 wrote to memory of 2140 2368 cmd.exe 34 PID 2368 wrote to memory of 2140 2368 cmd.exe 34 PID 2140 wrote to memory of 1448 2140 cmd.exe 35 PID 2140 wrote to memory of 1448 2140 cmd.exe 35 PID 2140 wrote to memory of 1448 2140 cmd.exe 35 PID 2368 wrote to memory of 1696 2368 cmd.exe 36 PID 2368 wrote to memory of 1696 2368 cmd.exe 36 PID 2368 wrote to memory of 1696 2368 cmd.exe 36 PID 2368 wrote to memory of 1072 2368 cmd.exe 37 PID 2368 wrote to memory of 1072 2368 cmd.exe 37 PID 2368 wrote to memory of 1072 2368 cmd.exe 37 PID 1072 wrote to memory of 544 1072 cmd.exe 38 PID 1072 wrote to memory of 544 1072 cmd.exe 38 PID 1072 wrote to memory of 544 1072 cmd.exe 38 PID 2368 wrote to memory of 1680 2368 cmd.exe 39 PID 2368 wrote to memory of 1680 2368 cmd.exe 39 PID 2368 wrote to memory of 1680 2368 cmd.exe 39 PID 2368 wrote to memory of 1740 2368 cmd.exe 40 PID 2368 wrote to memory of 1740 2368 cmd.exe 40 PID 2368 wrote to memory of 1740 2368 cmd.exe 40 PID 1740 wrote to memory of 2544 1740 cmd.exe 41 PID 1740 wrote to memory of 2544 1740 cmd.exe 41 PID 1740 wrote to memory of 2544 1740 cmd.exe 41 PID 2368 wrote to memory of 2292 2368 cmd.exe 42 PID 2368 wrote to memory of 2292 2368 cmd.exe 42 PID 2368 wrote to memory of 2292 2368 cmd.exe 42 PID 2368 wrote to memory of 2556 2368 cmd.exe 43 PID 2368 wrote to memory of 2556 2368 cmd.exe 43 PID 2368 wrote to memory of 2556 2368 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\Illegal_Services.exe"C:\Users\Admin\AppData\Local\Temp\Illegal_Services.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0RYA6NKT.bat" "C:\Users\Admin\AppData\Local\Temp\Illegal_Services.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c forfiles /m "Illegal_Services.exe" /c "cmd /c echo 0x1B"3⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\forfiles.exeforfiles /m "Illegal_Services.exe" /c "cmd /c echo 0x1B"4⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\system32\cmd.exe/c echo5⤵PID:2820
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"3⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"4⤵PID:1448
-
-
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"3⤵PID:1696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language" /v "InstallLanguage"3⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language" /v "InstallLanguage"4⤵PID:544
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language" /t REG_SZ /d EN /f3⤵PID:1680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2>nul reg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"3⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\IB_U_Z_Z_A_R_Dl\Illegal Services" /v "Language"4⤵PID:2544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵PID:2292
-
-
C:\Windows\system32\cscript.execscript //nologo "\msgbox.vbs" "ERROR: Your Windows version is not compatible with Illegal Services. You need Windows 10 or 11 (x86/x64)." 69648 "Illegal Services"3⤵PID:2556
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD5802d62f2b35fb65c68efdda6026415d9
SHA1eef7e127e1c79bb992f3cd9f7486dcb334753734
SHA256816e0bc15faf4ce9d21bd3ba9ad7111a5712a92306b9ceb7b5030dcecd190a87
SHA512826384d24741bcc00cbb699eba8395f6fe566ff6feefe4799fc40ede3f8378078212c96fb7e0a7afab32ddbf088e3e8e0f1c1092007ff4efe1c292bc3514f28b
-
Filesize
71B
MD56c6e2168a536621c599ace56e5f969c5
SHA114487a87c7d8f3e637c83e7e5a7c870ffead82ee
SHA256eb63813c371cd0c347e25c428de0bf4c05cd1feb6915c4f5e3e0c044c68ceb8f
SHA512dd9734ca03736eb963e62042cda1a1d659edd7e2886e0f6b0066adb88560c0d4c1e9b78d916b8f65eeac535376e2f7474bf8ce05a388540a9b754c48a42b1044