Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08/08/2024, 17:15
Static task
static1
Behavioral task
behavioral1
Sample
02.08.2022129.sh
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
02.08.2022129.sh
Resource
win10v2004-20240802-en
General
-
Target
02.08.2022129.sh
-
Size
206KB
-
MD5
1e4f314f495692968a7b7d9dd2d804ce
-
SHA1
7912e389cf40fbcbc3b1eb149a1bb74951a2a46e
-
SHA256
e78fa115af5a8cfa8e327fa2e7f26d30ae4f83987ca6fc49aad0ba9b5de293bd
-
SHA512
4686aae22e21333bd53b89e019bc6ea99366a4d907455724379ffb4d3378ba41dbb1e02a7a1497ad53507757c70950921f37bc2b02d53276eb20fbd8aacfaa67
-
SSDEEP
6144:oM7lXZqkcOi0v4zKuHwn1dmnQmjNtRasBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBO:og1dbiq4GnbmnnfRE
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.sh\ = "sh_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.sh rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3004 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3004 AcroRd32.exe 3004 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 668 wrote to memory of 2832 668 cmd.exe 31 PID 668 wrote to memory of 2832 668 cmd.exe 31 PID 668 wrote to memory of 2832 668 cmd.exe 31 PID 2832 wrote to memory of 3004 2832 rundll32.exe 32 PID 2832 wrote to memory of 3004 2832 rundll32.exe 32 PID 2832 wrote to memory of 3004 2832 rundll32.exe 32 PID 2832 wrote to memory of 3004 2832 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\02.08.2022129.sh1⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\02.08.2022129.sh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\02.08.2022129.sh"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5814c9fac9bd376c07c70952518aea300
SHA127b507fb4038196e1368441a5eba800cce7aed90
SHA25651f2f9858e0052595c247e040b33db6d1333d08d2ddb633460b297b40f3d59eb
SHA5121ff2015edd1b33bb4cdd2443b1f60c42621e784f7d422a99dcd52f265d29c9cacc14d7bb3cea68ba873d6748730b40a6688f71d0eec1d0f92dd1e8294f99209b