Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    71s
  • max time network
    72s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 19:13

Errors

Reason
Machine shutdown

General

  • Target

    Release.zip

  • Size

    25.7MB

  • MD5

    83a069366d4fd8ce4cdafa26e691979d

  • SHA1

    a1e7b78319d739ae5d9829c1fd619b76623b0cc2

  • SHA256

    42801eb5aecd68c3d5577c65beb2866e846785b3eb43c6803b635993e6d657ae

  • SHA512

    75731ee23f7fbe1424c92f7b7f74484596223913038ec4bf7f9470ef7c359ae7569956bb81cc05c43beb6c1dcc9baf78e5d9e3c405ec2d0da8abc75317188cc7

  • SSDEEP

    786432:yL1CB39LSUHwfZxxBjKAXsB3OynmRrGbbe6:3B5lHwfZEusB3TnmRGbbd

Malware Config

Signatures

  • Drops file in System32 directory 2 IoCs
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

  • Enumerates system info in registry 2 TTPs 32 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Release.zip
    1⤵
      PID:1224
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:3008
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        1⤵
          PID:2404
        • C:\Windows\system32\csrss.exe
          %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
          1⤵
          • Enumerates system info in registry
          • Suspicious use of WriteProcessMemory
          PID:1784
        • C:\Windows\system32\winlogon.exe
          winlogon.exe
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1896
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x0
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1572
          • C:\Windows\system32\utilman.exe
            utilman.exe /debug
            2⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:1608
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
          1⤵
            PID:296
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x1
            1⤵
              PID:1916

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2404-0-0x0000000002D90000-0x0000000002D91000-memory.dmp

              Filesize

              4KB