Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
5s -
max time network
6s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 00:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
DEVIL.exe
Resource
win7-20240903-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
DEVIL.exe
Resource
win10v2004-20240802-en
10 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
DEVIL.exe
-
Size
82KB
-
MD5
2150441385aa4c9a077161ba835ce528
-
SHA1
cdd37f20aefdf4cd804423d490067616ce6a1088
-
SHA256
bb81b7ee2f7a45c1d47ab1312886b7fe985cb4090b56fc216ba472486c430477
-
SHA512
22947ba02700422a8ffec4cad5306e4d041359b636f71b6547c64077296747f698c3d5f8bcaf8b19451b74180105cf57688f5bffbf5ce86fb951c2fc4e361174
-
SSDEEP
1536:QcpG/9Qa/9frl4yHoAhQUkvJlyloYJ2XStaIu2BgwtbN9ln0e7:Fs/qa/LBHiUkvpYJzdBgwVB7
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" DEVIL.exe -
Disables Task Manager via registry modification
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper DEVIL.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1792 DEVIL.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1792 DEVIL.exe Token: SeShutdownPrivilege 1680 shutdown.exe Token: SeRemoteShutdownPrivilege 1680 shutdown.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1792 wrote to memory of 1680 1792 DEVIL.exe 30 PID 1792 wrote to memory of 1680 1792 DEVIL.exe 30 PID 1792 wrote to memory of 1680 1792 DEVIL.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\DEVIL.exe"C:\Users\Admin\AppData\Local\Temp\DEVIL.exe"1⤵
- Modifies WinLogon for persistence
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2924
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2996