Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 05:04

General

  • Target

    PZI_R5P92.exe

  • Size

    123KB

  • MD5

    671d98a5b272d01c604d57f925318c04

  • SHA1

    4198c3513259a401a9e459cf73a6d0a9097ab525

  • SHA256

    188006f5267e1ef35fcff67ab8d013cb95f72e3f450861500da60ef5c969a346

  • SHA512

    dddf1ca71f1c6943dba2cdf1e2355fb2b4c7d64ea8aeef6217d4bedc7b7cbdae1910e3acfa97801d4f6ef71ca8c1fd3b250af94f546d86e057bda0a1b6a2a162

  • SSDEEP

    3072:Zk6LYvJhtPwcP49AGlJ6ZYtQhQg2SCf38CVjqsyGIwhKfzOC334chqDIq/ZigP:26MxhpwFeG36mN8NDLrZU0IZigP

Score
6/10

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PZI_R5P92.exe
    "C:\Users\Admin\AppData\Local\Temp\PZI_R5P92.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd.exe /f takeown /f C:WindowsSystem32 >nul && icacls C:WindowsSystem32 /grant "%username%:F" >nul
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /f takeown /f C:WindowsSystem32
        3⤵
          PID:2784
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x7c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads