Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
73s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 17:26
Static task
static1
Behavioral task
behavioral1
Sample
invite.ics
Resource
win10v2004-20240508-en
6 signatures
150 seconds
General
-
Target
invite.ics
-
Size
4KB
-
MD5
32356dce9e90f58a3881974a986970a3
-
SHA1
ef86683a0370f87564f038df2d45930a51f5d61b
-
SHA256
b62d9e17e078332a26f0a3d400cd46beaf57c1221d36e3522bb3c6474af73213
-
SHA512
829d197d4bae5878dd94f0e666dc63ba7ab6904fa4c778b7aa109868d0a9fcd5e5b1712344f8ce45f81c85bb9522fd57e17ef83ae3e6ceb4ca5ec0643aee5bd9
-
SSDEEP
96:EgfoTQ8oxg7xcZFvRf62HiXFTfVefNiVNATdULqR3Q6gWiRXSdJy:dozaHvRfQFTfVefNi0kqFQN9CLy
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 396 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 392 OpenWith.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe 392 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 392 wrote to memory of 396 392 OpenWith.exe 99 PID 392 wrote to memory of 396 392 OpenWith.exe 99
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\invite.ics1⤵
- Modifies registry class
PID:1636
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\invite.ics2⤵
- Opens file in notepad (likely ransom note)
PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4156,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:81⤵PID:924