Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
18s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
29/11/2024, 16:34
Behavioral task
behavioral1
Sample
hahaha.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
hahaha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Stub.pyc
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Stub.pyc
Resource
win10v2004-20241007-en
General
-
Target
Stub.pyc
-
Size
178KB
-
MD5
008ed25892c6196314d888a29d84126c
-
SHA1
fc72833e41c6cdcf23abfd62f1787b592b5a5b2e
-
SHA256
7d6e90c8b84a1ce681b80f3768d7d5b92315084064b73b175102ece93abed762
-
SHA512
6491339137cb1e5fd425c3ad04b9454e0b929b9b7eb8e2901f1682e6a476b836909c61c04faf73b6f03834d19f8e1d6fbf8f12bd74285cc5a5ff96c33ccdd5ec
-
SSDEEP
3072:uPGcc+7r5FEj5S1njCuGTvO0K2ehnxVZ7uuG6ZX/jaVyNq8aZ9/eM6JxB3wluH+b:uPGa79eArZ2eRHjaVRpeDNl+b
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2560 AcroRd32.exe 2560 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2544 2488 cmd.exe 31 PID 2488 wrote to memory of 2544 2488 cmd.exe 31 PID 2488 wrote to memory of 2544 2488 cmd.exe 31 PID 2544 wrote to memory of 2560 2544 rundll32.exe 32 PID 2544 wrote to memory of 2560 2544 rundll32.exe 32 PID 2544 wrote to memory of 2560 2544 rundll32.exe 32 PID 2544 wrote to memory of 2560 2544 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Stub.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Stub.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Stub.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD56724709eaa3ad4441ffe0c6c052cff56
SHA1c3f08ab49e72e8203d15d0d03f5d7ad9a95ea99a
SHA256d37282cc9ba09d0bb66ea82335b6e27c9552d90e8e1d91bf4c63c9bd040678e5
SHA5125a28325e2a33fb7b3340403f99a6bde74b8d4d399294aa602d1c9fcd7a7cb2f4a5cd1ecc75607eed28fa386444671b4b57af2132f57c1cb9249c5bb437317664