Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
873s -
max time network
787s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 20:04
Static task
static1
Behavioral task
behavioral1
Sample
Bootstrapper.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bootstrapper.exe
Resource
win10v2004-20240802-en
General
-
Target
Bootstrapper.exe
-
Size
796KB
-
MD5
5f16b82a8b62d4cc9d6ce02f44e34109
-
SHA1
be96254773cba2c6f0b88e51319802b1c6394beb
-
SHA256
1621a516abb8ecf9459c9dec83f7fb9beb07af1f79511dfe0b3c622297ffa940
-
SHA512
956d983c7f076b176bfd1952e691e2d363c332dba317645ce991c9bb2f4ddd89771f0d035cbb70ab420b9dd906b3a6d0aecc6c8243ba6a4ac70979cebb00986b
-
SSDEEP
3072:nTaFZMwaCyYwC+M2FEv80IZOA/CyYwC+M2FEv80IZOAu80IZOA4:lhY7X2Kvh4hY7X2Kvhlh
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2528 powershell.exe 1856 powershell.exe 2536 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2104 2564 WerFault.exe 28 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2528 powershell.exe 2536 powershell.exe 1856 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 2564 Bootstrapper.exe Token: 33 1512 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1512 AUDIODG.EXE Token: 33 1512 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1512 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2564 wrote to memory of 2528 2564 Bootstrapper.exe 29 PID 2564 wrote to memory of 2528 2564 Bootstrapper.exe 29 PID 2564 wrote to memory of 2528 2564 Bootstrapper.exe 29 PID 2564 wrote to memory of 2528 2564 Bootstrapper.exe 29 PID 2564 wrote to memory of 2536 2564 Bootstrapper.exe 30 PID 2564 wrote to memory of 2536 2564 Bootstrapper.exe 30 PID 2564 wrote to memory of 2536 2564 Bootstrapper.exe 30 PID 2564 wrote to memory of 2536 2564 Bootstrapper.exe 30 PID 2564 wrote to memory of 1856 2564 Bootstrapper.exe 32 PID 2564 wrote to memory of 1856 2564 Bootstrapper.exe 32 PID 2564 wrote to memory of 1856 2564 Bootstrapper.exe 32 PID 2564 wrote to memory of 1856 2564 Bootstrapper.exe 32 PID 2564 wrote to memory of 2104 2564 Bootstrapper.exe 35 PID 2564 wrote to memory of 2104 2564 Bootstrapper.exe 35 PID 2564 wrote to memory of 2104 2564 Bootstrapper.exe 35 PID 2564 wrote to memory of 2104 2564 Bootstrapper.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Sola'"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 16122⤵
- Program crash
PID:2104
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2176
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1681⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD511174c5081631668a063c9e10f29a862
SHA1c063a3e9e746be501540a20c37d6be5d96092c92
SHA25689dc6d9da09c7f9bab138ff368c9a1f5cfeabfa2fa611fd279acd3d0201e5625
SHA51282303a6eaa43ba2ae15aa8ffda70e71bee8bfb66078700fa5d37c5113487ed62d298d6e8fd2d697fcab2b052d92f391be39422777b5ce4e24b835f93f9a71011