Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10platforms/...479.sh
ubuntu-18.04-amd64
3platforms/...479.sh
debian-9-armhf
3platforms/...479.sh
debian-9-mips
3platforms/...479.sh
debian-9-mipsel
3platforms/...481.sh
ubuntu-18.04-amd64
1platforms/...481.sh
debian-9-armhf
1platforms/...481.sh
debian-9-mips
1platforms/...481.sh
debian-9-mipsel
1platforms/...232.sh
ubuntu-18.04-amd64
3platforms/...232.sh
debian-9-armhf
3platforms/...232.sh
debian-9-mips
3platforms/...232.sh
debian-9-mipsel
3platforms/...612.py
windows7-x64
3platforms/...612.py
windows10-2004-x64
3platforms/...701.sh
windows7-x64
3platforms/...701.sh
windows10-2004-x64
3platforms/...898.sh
ubuntu-18.04-amd64
platforms/...898.sh
debian-9-armhf
platforms/...898.sh
debian-9-mips
platforms/...898.sh
debian-9-mipsel
platforms/...010.pl
ubuntu-18.04-amd64
platforms/...010.pl
debian-9-armhf
platforms/...010.pl
debian-9-mips
platforms/...010.pl
debian-9-mipsel
platforms/...070.pl
ubuntu-18.04-amd64
platforms/...070.pl
debian-9-armhf
platforms/...070.pl
debian-9-mips
platforms/...070.pl
debian-9-mipsel
platforms/...071.pl
ubuntu-18.04-amd64
1platforms/...071.pl
debian-9-armhf
1platforms/...071.pl
debian-9-mips
1platforms/...071.pl
debian-9-mipsel
1Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25/11/2024, 15:16
Behavioral task
behavioral1
Sample
platforms/QNX/local/1479.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
platforms/QNX/local/1479.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
platforms/QNX/local/1479.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
platforms/QNX/local/1479.sh
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral5
Sample
platforms/QNX/local/1481.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral6
Sample
platforms/QNX/local/1481.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral7
Sample
platforms/QNX/local/1481.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral8
Sample
platforms/QNX/local/1481.sh
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral9
Sample
platforms/aix/local/4232.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral10
Sample
platforms/aix/local/4232.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral11
Sample
platforms/aix/local/4232.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral12
Sample
platforms/aix/local/4232.sh
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral13
Sample
platforms/aix/local/4612.py
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
platforms/aix/local/4612.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
platforms/aix/local/701.sh
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
platforms/aix/local/701.sh
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
platforms/aix/local/898.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral18
Sample
platforms/aix/local/898.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral19
Sample
platforms/aix/local/898.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral20
Sample
platforms/aix/local/898.sh
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral21
Sample
platforms/asp/webapps/1010.pl
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral22
Sample
platforms/asp/webapps/1010.pl
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral23
Sample
platforms/asp/webapps/1010.pl
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral24
Sample
platforms/asp/webapps/1010.pl
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral25
Sample
platforms/asp/webapps/1070.pl
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral26
Sample
platforms/asp/webapps/1070.pl
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral27
Sample
platforms/asp/webapps/1070.pl
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral28
Sample
platforms/asp/webapps/1070.pl
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral29
Sample
platforms/asp/webapps/1071.pl
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral30
Sample
platforms/asp/webapps/1071.pl
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral31
Sample
platforms/asp/webapps/1071.pl
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral32
Sample
platforms/asp/webapps/1071.pl
Resource
debian9-mipsel-20240611-en
General
-
Target
platforms/aix/local/4612.py
-
Size
852B
-
MD5
3a00f0caf3fbae527dab35d00d3b0969
-
SHA1
3acc5284594de2898139ef60b92736cc0c504ef0
-
SHA256
92d1deaa8456ec5292012315262c628bd315ba7e741a51212cf1f246dc054d2c
-
SHA512
3887dee78ee5d0758da52e985003aa4b31a76d196ecb578c5fc88ca5f5d00f46f4b1134faca47f5fa9ea5c0d5d16e27809b3d1e4fc8256299b6096ec46a7f162
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2700 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2700 AcroRd32.exe 2700 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2912 wrote to memory of 2692 2912 cmd.exe 31 PID 2912 wrote to memory of 2692 2912 cmd.exe 31 PID 2912 wrote to memory of 2692 2912 cmd.exe 31 PID 2692 wrote to memory of 2700 2692 rundll32.exe 32 PID 2692 wrote to memory of 2700 2692 rundll32.exe 32 PID 2692 wrote to memory of 2700 2692 rundll32.exe 32 PID 2692 wrote to memory of 2700 2692 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\platforms\aix\local\4612.py1⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\platforms\aix\local\4612.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\platforms\aix\local\4612.py"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5e0d8484b14861ffe0bd15c8510da0a67
SHA128843c8d3e94b5c245fb40450b317f3c21289f00
SHA2567cde2d873f357144e99648a8ee1c9c53c5fbf28cb0049a90c82a75318b27f190
SHA512089ba33df31acd1737be8956441ee06879973c41c4d47825647ee651796f630592f7ae7172635e5da85cf68d33c236ca9904ef25f612293fad3012c48b18d603