Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/11/2024, 10:44 UTC
241111-mswx8aybkj 1025/10/2024, 13:05 UTC
241025-qbvklszdkh 1023/10/2024, 19:44 UTC
241023-yf1anayfjp 10Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 10:44 UTC
Behavioral task
behavioral1
Sample
source_prepared.pyc
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
source_prepared.pyc
Resource
win10v2004-20241007-en
General
-
Target
source_prepared.pyc
-
Size
168KB
-
MD5
11f6c56cafe9a1a6efebe7618868003b
-
SHA1
27d6b5d6d315bf5063737561dfce2d72e1ade7dd
-
SHA256
d97bfb28b1c258bf7964fa90325bcc22dd3e2ed22a954d0ed21b51c756a0cd88
-
SHA512
3efa1c586ff5493e01cc48857bcf449583c3e93bfafe96a5c630f6c6a4403d0960b1861303f66a344d07c556e1518c1b85aabf10a6409fdab4b30850f44d28c6
-
SSDEEP
3072:AexHVNaOO/5ESl1RdotPZTJ0pZXScT0o+IvdXzusTWP:BNaOO/5ESFdoCpUY0oysS
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1972 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1972 AcroRd32.exe 1972 AcroRd32.exe 1972 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2720 2852 cmd.exe 32 PID 2852 wrote to memory of 2720 2852 cmd.exe 32 PID 2852 wrote to memory of 2720 2852 cmd.exe 32 PID 2720 wrote to memory of 1972 2720 rundll32.exe 33 PID 2720 wrote to memory of 1972 2720 rundll32.exe 33 PID 2720 wrote to memory of 1972 2720 rundll32.exe 33 PID 2720 wrote to memory of 1972 2720 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5026a506b1e1c9ac013e44602d8b5fc41
SHA1428614cda7dab4f752b8a46b0ba125a56576c276
SHA2563782e4a3b5eb5895522ac795e07458cf5699af6e08345c5f587c56d7be69ec65
SHA51280d6717730af5bee3926ac27ac100e849ec9cee7c84befdc9b98b3817d50358d4541a0f6919525c030be6aa6a359b73281c35df9cbc1102e831256ff04620040