Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 14:48
Behavioral task
behavioral1
Sample
student.exe
Resource
win7-20240903-en
General
-
Target
student.exe
-
Size
16.4MB
-
MD5
16008a18ed602a629d889297a7c3c932
-
SHA1
cdf29db97bdd80d0cd3054a2888d51ecb4c815fd
-
SHA256
f804f5ee8d450c144a5abd2ab8524c7bdec83a4ebdd3720c0ad4e1cf5411e8bc
-
SHA512
13f43c46b2971f4aa0e4172ee6e0c9e1769dd8c1ac9821f2be146a260a1bc821e912ebc7a0fad073bb902e4e4ceccea1e52e06eb9524dbe06d61441b445fc8c6
-
SSDEEP
393216:+65xokU8YXfusOWMXY2eTE5VkH/VJS3bon2kK:fsPPus6X2gO9JS3O21
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2476-0-0x0000000000230000-0x000000000231C000-memory.dmp upx behavioral1/memory/2476-7-0x0000000000230000-0x000000000231C000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2476-7-0x0000000000230000-0x000000000231C000-memory.dmp autoit_exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language student.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1280 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 1280 msiexec.exe Token: SeIncreaseQuotaPrivilege 1280 msiexec.exe Token: SeRestorePrivilege 2528 msiexec.exe Token: SeTakeOwnershipPrivilege 2528 msiexec.exe Token: SeSecurityPrivilege 2528 msiexec.exe Token: SeCreateTokenPrivilege 1280 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1280 msiexec.exe Token: SeLockMemoryPrivilege 1280 msiexec.exe Token: SeIncreaseQuotaPrivilege 1280 msiexec.exe Token: SeMachineAccountPrivilege 1280 msiexec.exe Token: SeTcbPrivilege 1280 msiexec.exe Token: SeSecurityPrivilege 1280 msiexec.exe Token: SeTakeOwnershipPrivilege 1280 msiexec.exe Token: SeLoadDriverPrivilege 1280 msiexec.exe Token: SeSystemProfilePrivilege 1280 msiexec.exe Token: SeSystemtimePrivilege 1280 msiexec.exe Token: SeProfSingleProcessPrivilege 1280 msiexec.exe Token: SeIncBasePriorityPrivilege 1280 msiexec.exe Token: SeCreatePagefilePrivilege 1280 msiexec.exe Token: SeCreatePermanentPrivilege 1280 msiexec.exe Token: SeBackupPrivilege 1280 msiexec.exe Token: SeRestorePrivilege 1280 msiexec.exe Token: SeShutdownPrivilege 1280 msiexec.exe Token: SeDebugPrivilege 1280 msiexec.exe Token: SeAuditPrivilege 1280 msiexec.exe Token: SeSystemEnvironmentPrivilege 1280 msiexec.exe Token: SeChangeNotifyPrivilege 1280 msiexec.exe Token: SeRemoteShutdownPrivilege 1280 msiexec.exe Token: SeUndockPrivilege 1280 msiexec.exe Token: SeSyncAgentPrivilege 1280 msiexec.exe Token: SeEnableDelegationPrivilege 1280 msiexec.exe Token: SeManageVolumePrivilege 1280 msiexec.exe Token: SeImpersonatePrivilege 1280 msiexec.exe Token: SeCreateGlobalPrivilege 1280 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1280 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1280 2476 student.exe 30 PID 2476 wrote to memory of 1280 2476 student.exe 30 PID 2476 wrote to memory of 1280 2476 student.exe 30 PID 2476 wrote to memory of 1280 2476 student.exe 30 PID 2476 wrote to memory of 1280 2476 student.exe 30 PID 2476 wrote to memory of 1280 2476 student.exe 30 PID 2476 wrote to memory of 1280 2476 student.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\student.exe"C:\Users\Admin\AppData\Local\Temp\student.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i c:\windows\temp\Student.msi TRANSFORMS=":zh-cn.mst" SCREENDRIVER=1 RUNBYSERVICE=12⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1280
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.0MB
MD5bd2bf4af2aaecee2917a3e55353a90fb
SHA19c819f5db18bcdf767391b3b8e2fd490c4e3435d
SHA25687880be8b0bda7a682535769f910fa90e3c7e62cbc49d366e2987d16fec51d16
SHA5120d780523e4ff7d17a9d94577ad47d3ed248692d09a3cf603f2acae281b46f2864479d741327bff2109aa327ebcb22fb601e972d82a05dca130bacc1427117692