Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

05/09/2024, 10:59

240905-m3c8vsygpn 8

05/09/2024, 10:58

240905-m272vazelg 3

05/09/2024, 10:55

240905-mz8wcszeja 3

05/09/2024, 10:54

240905-mzj71azdra 3

05/09/2024, 10:52

240905-mysgzszdqb 3

05/09/2024, 10:50

240905-mw9cqayfnk 3

05/09/2024, 10:37

240905-mn29fazbpg 4

05/09/2024, 10:34

240905-mmbebsydml 3

Analysis

  • max time kernel
    105s
  • max time network
    54s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/09/2024, 10:50

General

  • Target

    SA_2.7.0.7z

  • Size

    26KB

  • MD5

    6382ade525c3fd49d50e34b181de9d55

  • SHA1

    1c0d0f762b0aee467ea18ed06da5631b4dab678d

  • SHA256

    aca1a9c9b8902d00d582f58d6293c75cdf9eebd7dcc39e16921a97a1b2dbbd8f

  • SHA512

    db15cb2a7f60ef768335cf294a593849f42347a282c3e9446ec6b2f9d44d1aa94ce32c52bcebd4904869f39266351b8d722a90e1b2fbeb6aa030dc42dc02633e

  • SSDEEP

    768:WaJhRqiUS5rrWN+Zg/eoZlVu8qVh5JTGr2Q:FJhRBU3NNdu9j5JiV

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\SA_2.7.0.7z
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SA_2.7.0.7z
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SA_2.7.0.7z
        3⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Program Files\7-Zip\7z.exe
          "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\AppData\Local\Temp\SA_2.7.0.7z"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2780
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:600
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Pictures\FindUnblock.dxf
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\FindUnblock.dxf
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2832-24-0x0000000003CD0000-0x0000000003CE0000-memory.dmp

      Filesize

      64KB