Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/08/2024, 01:25
240818-bs8q8s1akm 7Analysis
-
max time kernel
3s -
max time network
4s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 01:25
Static task
static1
Errors
General
-
Target
-
Size
136KB
-
MD5
70108103a53123201ceb2e921fcfe83c
-
SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
-
SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
-
SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
-
SSDEEP
1536:3VrdxBvcGdDHHtWv8udA1JYREgJ/qEOpsChnU4V1lyqHv4vAmOG9HSDKRppppp5B:1H5D0dSgo7ppTV1lyqPOAmOG9HSOD
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2640 sys3.exe -
Executes dropped EXE 1 IoCs
pid Process 2640 sys3.exe -
Loads dropped DLL 2 IoCs
pid Process 2468 [email protected] 2468 [email protected] -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 [email protected] File opened for modification \??\PHYSICALDRIVE0 sys3.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sys3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2640 sys3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2640 2468 [email protected] 30 PID 2468 wrote to memory of 2640 2468 [email protected] 30 PID 2468 wrote to memory of 2640 2468 [email protected] 30 PID 2468 wrote to memory of 2640 2468 [email protected] 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe2⤵
- Deletes itself
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2704
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59B
MD5ab7368e081dc109f4133ffd943c98b74
SHA11847691b3535b25f368389327543392eafd3e4fa
SHA2566c2c3417ded140721c60368f64f02b4d4ed5f39b528450b75d2475da4b80c1ae
SHA512e59e763b66ab716a72d3121d8a8b9b6a2dd4beb89e949202ae55ef0a1cef316d56071df8a41a587c605d1575c18f2f4f3a41d2cb174a89558722e9730a913912
-
Filesize
136KB
MD570108103a53123201ceb2e921fcfe83c
SHA1c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA2569c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b