Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

25/06/2024, 14:16

240625-rk7rzaxfnl 8

25/06/2024, 14:12

240625-rh4yasvbkd 4

25/06/2024, 14:09

240625-rf6dcavajh 3

25/06/2024, 14:05

240625-rdz4jsxcjq 3

Analysis

  • max time kernel
    615s
  • max time network
    616s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 14:16

General

  • Target

    Eclipse IDE for Java Developers - 2021-12.lnk

  • Size

    983B

  • MD5

    ec646032b10ae10d5563116c3df8a05b

  • SHA1

    1cb70a9ea2722560a2d3584be4a1a5b1c7afee1e

  • SHA256

    609ea91e7738bfb4d80edbb7deeb77ba075ce7bd153aeade7939e917ac20500c

  • SHA512

    07d7cfc50c2176c733485564338485e286be18d7c4d5ffd6158322196928d7c0bf4fea35d97dbe56f28712a5835a445e531fa9b6ad8d55c7cb07ac2dea35bae9

Malware Config

Signatures

  • Drops file in Drivers directory 64 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 51 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Modifies termsrv.dll 1 TTPs 1 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Eclipse IDE for Java Developers - 2021-12.lnk"
    1⤵
      PID:1224
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Drops file in Drivers directory
      • Manipulates Digital Signatures
      • Boot or Logon Autostart Execution: Print Processors
      • Deletes itself
      • Drops desktop.ini file(s)
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Modifies termsrv.dll
      • Drops file in Program Files directory
      • Drops file in Windows directory
      PID:2660
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x518
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:760
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:764

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads