Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 04:04
Static task
static1
Behavioral task
behavioral1
Sample
149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee.exe
Resource
win10v2004-20240802-en
General
-
Target
149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee.exe
-
Size
158KB
-
MD5
a0b03b4dde45e29e975a5a6cebbe298f
-
SHA1
2efe249714ccf09095034fbde999d87814eb6d6e
-
SHA256
149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee
-
SHA512
e727799135ad78c81be39cc8c1b1b046721483851df2032fe73d7c05eba916f3f6e1ddeb59c2d09d686c72a7fecfd09e7ba419e6a55849ec59fb9cc57ad472df
-
SSDEEP
1536:yvXgM8jLIVnW3rGq1zPHzsLRz1zV+7XAG+C:ygM8N33PAV1p+7X3+C
Malware Config
Signatures
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini 149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.2345.com" 149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2052 149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2252 2052 149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee.exe 32 PID 2052 wrote to memory of 2252 2052 149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee.exe 32 PID 2052 wrote to memory of 2252 2052 149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee.exe 32 PID 2252 wrote to memory of 2904 2252 cmd.exe 34 PID 2252 wrote to memory of 2904 2252 cmd.exe 34 PID 2252 wrote to memory of 2904 2252 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee.exe"C:\Users\Admin\AppData\Local\Temp\149ff867723e2602465854b71d55e7c5a3cb4352d3607ef03a2d1921a592e3ee.exe"1⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell Compress-Archive -Path "C:\Users\Admin\Desktop\*" -DestinationPath "C:\Users\Admin\Desktop\tax.zip"; $password = 'tax'; Add-Type -AssemblyName 'System.IO.Compression.FileSystem'; $zip = [System.IO.Compression.ZipFile]::Open('C:\Users\Admin\Desktop\tax.zip', [System.IO.Compression.ZipArchiveMode]::Update); $zip.Entries | ForEach-Object { $_.Password = $password }; $zip.Dispose();2⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Compress-Archive -Path "C:\Users\Admin\Desktop\*" -DestinationPath "C:\Users\Admin\Desktop\tax.zip"; $password = 'tax'; Add-Type -AssemblyName 'System.IO.Compression.FileSystem'; $zip = [System.IO.Compression.ZipFile]::Open('C:\Users\Admin\Desktop\tax.zip', [System.IO.Compression.ZipArchiveMode]::Update); $zip.Entries3⤵PID:2904
-
-