Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 05:04
Static task
static1
Behavioral task
behavioral1
Sample
PZI_R5P92.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
PZI_R5P92.exe
Resource
win10v2004-20240709-en
General
-
Target
PZI_R5P92.exe
-
Size
123KB
-
MD5
671d98a5b272d01c604d57f925318c04
-
SHA1
4198c3513259a401a9e459cf73a6d0a9097ab525
-
SHA256
188006f5267e1ef35fcff67ab8d013cb95f72e3f450861500da60ef5c969a346
-
SHA512
dddf1ca71f1c6943dba2cdf1e2355fb2b4c7d64ea8aeef6217d4bedc7b7cbdae1910e3acfa97801d4f6ef71ca8c1fd3b250af94f546d86e057bda0a1b6a2a162
-
SSDEEP
3072:Zk6LYvJhtPwcP49AGlJ6ZYtQhQg2SCf38CVjqsyGIwhKfzOC334chqDIq/ZigP:26MxhpwFeG36mN8NDLrZU0IZigP
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 PZI_R5P92.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2688 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2688 AUDIODG.EXE Token: 33 2688 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2688 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2772 2976 PZI_R5P92.exe 31 PID 2976 wrote to memory of 2772 2976 PZI_R5P92.exe 31 PID 2976 wrote to memory of 2772 2976 PZI_R5P92.exe 31 PID 2976 wrote to memory of 2772 2976 PZI_R5P92.exe 31 PID 2772 wrote to memory of 2784 2772 cmd.exe 32 PID 2772 wrote to memory of 2784 2772 cmd.exe 32 PID 2772 wrote to memory of 2784 2772 cmd.exe 32 PID 2772 wrote to memory of 2784 2772 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\PZI_R5P92.exe"C:\Users\Admin\AppData\Local\Temp\PZI_R5P92.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cmd.exe /f takeown /f C:WindowsSystem32 >nul && icacls C:WindowsSystem32 /grant "%username%:F" >nul2⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\cmd.execmd.exe /f takeown /f C:WindowsSystem323⤵PID:2784
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x7c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688