Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 11:06
Static task
static1
Behavioral task
behavioral1
Sample
qt-virustotal-uploader-master/deploy-osx.sh
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
qt-virustotal-uploader-master/deploy-osx.sh
Resource
win10v2004-20240802-en
General
-
Target
qt-virustotal-uploader-master/deploy-osx.sh
-
Size
485B
-
MD5
3cd81f2185491185d4ca056901c9ab74
-
SHA1
28e28d7ca97de4ffbb90496de49b0d28198f7760
-
SHA256
d79a4da10fbb6ac0a6614e301b748c0a3d4f60c685b533f0f92fbf9951f0ba58
-
SHA512
e87a327599fc1396de3ed4e453e016afb1fa28a55d13aeb7bd89e7ffda5a648d60d35f3335afaff0d10c38f7ae3e388ec2e292a09226ce5ae922cab7c5608e88
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\sh_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.sh rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\sh_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\sh_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\sh_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.sh\ = "sh_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\sh_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2752 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2752 AcroRd32.exe 2752 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2456 2368 cmd.exe 31 PID 2368 wrote to memory of 2456 2368 cmd.exe 31 PID 2368 wrote to memory of 2456 2368 cmd.exe 31 PID 2456 wrote to memory of 2752 2456 rundll32.exe 32 PID 2456 wrote to memory of 2752 2456 rundll32.exe 32 PID 2456 wrote to memory of 2752 2456 rundll32.exe 32 PID 2456 wrote to memory of 2752 2456 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\qt-virustotal-uploader-master\deploy-osx.sh1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\qt-virustotal-uploader-master\deploy-osx.sh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\qt-virustotal-uploader-master\deploy-osx.sh"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5c308737d5e92e5421cae307e66cbac3e
SHA140dcdb1b50b05b799d04648024b5e3c29e032b20
SHA2568d9edeeb8286aa0b5c947493f34d60f6e529a3a01f4e037df1f293c507a4996b
SHA5124e8a467ae7cced7f031a882757bdf7852213f13fcb1e9c73f26b55f09d1e46a4448c0947ab34179ea5f48f2d9047b3c2716230eae27375f2a8d20e8d2dd321ad