Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 00:38
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240508-en
4 signatures
120 seconds
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20240508-en
3 signatures
120 seconds
Behavioral task
behavioral3
Sample
setup.exe
Resource
win11-20240508-en
3 signatures
120 seconds
General
-
Target
setup.exe
-
Size
3.1MB
-
MD5
e2aca2b2deb86d9ea1d6366a64116409
-
SHA1
61b41909160be6c93c8541a24d3fd38f354ddbea
-
SHA256
d3b72b8843161aab5e17f1a9b2f0bc14be06a9c905328b48eb39230cfe638f5c
-
SHA512
11f22c59276b518e3303548e3e8321347052de048844a48a75b840d141f1dd5ba5c4ef105aa35924d380eff8dbdf9454bdf99cba55ff6d70c5d24f6fe96df1ea
-
SSDEEP
49152:6kVfvS+pDTGuzVnck9inHEywFQXHdG5DSDgWeLB38EwAxaJq1EWgges5y1a2rT9h:6Gf62yuzAH9w8HA5+Dz6tAQsjT9
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" setup.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy setup.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini setup.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol setup.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI setup.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 348 setup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 348 wrote to memory of 2464 348 setup.exe 28 PID 348 wrote to memory of 2464 348 setup.exe 28 PID 348 wrote to memory of 2464 348 setup.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 348 -s 2282⤵PID:2464
-