Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/10/2024, 08:52
Static task
static1
Behavioral task
behavioral1
Sample
ZAMOWIEN.EXE.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ZAMOWIEN.EXE.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Stenklver219.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Stenklver219.ps1
Resource
win10v2004-20241007-en
General
-
Target
ZAMOWIEN.EXE.exe
-
Size
426KB
-
MD5
76c9f492fb7a8f80ec783e727b9cd83d
-
SHA1
d29380e856c2855296bfbdc14de2aef98bf90c3d
-
SHA256
ac5ace4225e767aa30c1a5d950826c2545887e07027bdba89f653583ca65441d
-
SHA512
927cec7b1d2a3414e58ff973aff0525cc79375e118449c9b3f62c0d02d82fe4c2e9d8a6ce446caf17ebc48674b377492be8845abcfaa7e597b3c32750783e393
-
SSDEEP
6144:NqC56ALcmpQFbVySc2pXKJv4Bsn4z6XCWtB/DWfFcCrESnJCd6DRptmr1QHPVTgo:KA9WL5c2pXK+yn4K/uSoESnXl+ZQOE
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2856 powershell.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\o.pri ZAMOWIEN.EXE.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\Bitings235\restqfr.sta ZAMOWIEN.EXE.exe File opened for modification C:\Windows\resources\0409\vampirism\discomposed.ini ZAMOWIEN.EXE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZAMOWIEN.EXE.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2856 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2856 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2856 2528 ZAMOWIEN.EXE.exe 31 PID 2528 wrote to memory of 2856 2528 ZAMOWIEN.EXE.exe 31 PID 2528 wrote to memory of 2856 2528 ZAMOWIEN.EXE.exe 31 PID 2528 wrote to memory of 2856 2528 ZAMOWIEN.EXE.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZAMOWIEN.EXE.exe"C:\Users\Admin\AppData\Local\Temp\ZAMOWIEN.EXE.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Nonprotraction=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\deciliteren\afstnings\Stenklver219.Int';$Helmuth=$Nonprotraction.SubString(747,3);.$Helmuth($Nonprotraction)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856
-