Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 02:00

General

  • Target

    7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe

  • Size

    738KB

  • MD5

    884358a9e9da158f576b7b7e42521d70

  • SHA1

    a9d488b27fc2d65df89c1049c9cdf380e37e435f

  • SHA256

    7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd

  • SHA512

    630c905e255424dc8e54a8b945aaa5673e6ff25fe4e2f9713b73a3f5a622ff8f5d33bfc06ccecd85e5017bac27e31007c878acba32af509000a6c51fdaea0216

  • SSDEEP

    12288:javPpBdFOdWbKSYQNGHkROyGOs61IYZVAecgs9FMa1Mdq8jJN:javzLDK+NjDGMIYO7MoON

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe
    "C:\Users\Admin\AppData\Local\Temp\7821d35c1866a3ecd43b15d6a171fd9f11d70907105cc27f6b7f0760ca86bccd.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$supportable=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Variabelforklaringen.Adi';$Svinehundens=$supportable.SubString(52555,3);.$Svinehundens($supportable)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$supportable=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\superincomprehensible\Variabelforklaringen.Adi';$Svinehundens=$supportable.SubString(52555,3);.$Svinehundens($supportable)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    5806dd633468971d3469bdd121e2b2ca

    SHA1

    337badccf843962880fe270623807d8a466c306d

    SHA256

    a36b736eef18712c52ed04d5f19fa68bc2e3ad7df304f3448accd35aa27f70f4

    SHA512

    3c5a805e4d6c4e1cb02fc8a3fb313c4588e1bf3575c265acae9a46a55151fa06d9f4d28ab3941c6c0f45564f33b4272de3b907f66890023d492d5085a4516630