Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
MirrorTex.mcpack - Copy/textures/blocks/glass_silver.texture_set.json
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
MirrorTex.mcpack - Copy/textures/blocks/glass_silver.texture_set.json
Resource
win10v2004-20240426-en
General
-
Target
MirrorTex.mcpack - Copy/textures/blocks/glass_silver.texture_set.json
-
Size
158B
-
MD5
08a0d83e39db001da86a31dca37a8b4f
-
SHA1
ff273af97c69c296f49134a8c933d729fbcb6899
-
SHA256
b0166a84b852aa568d89fb0dde37ff3881a358872d716c8bd5d82a719bae92f2
-
SHA512
3348ee0549298586f4bc5b8e3e037306095045336c7668aecaf54fc0efa191a9a933c32151a1914f7ccfbe60a174a7c57644f121815ef0f5bef006d571895576
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.json rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\json_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\json_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\json_auto_file\shell\edit\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\json_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\json_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\json_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\json_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\json_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\json_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2608 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2872 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2872 2420 cmd.exe 29 PID 2420 wrote to memory of 2872 2420 cmd.exe 29 PID 2420 wrote to memory of 2872 2420 cmd.exe 29 PID 2872 wrote to memory of 2608 2872 rundll32.exe 30 PID 2872 wrote to memory of 2608 2872 rundll32.exe 30 PID 2872 wrote to memory of 2608 2872 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\MirrorTex.mcpack - Copy\textures\blocks\glass_silver.texture_set.json"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MirrorTex.mcpack - Copy\textures\blocks\glass_silver.texture_set.json2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\MirrorTex.mcpack - Copy\textures\blocks\glass_silver.texture_set.json3⤵
- Opens file in notepad (likely ransom note)
PID:2608
-
-