Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/12/2024, 02:24
Static task
static1
Behavioral task
behavioral1
Sample
MSTeamsSetup.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MSTeamsSetup.exe
Resource
win10v2004-20241007-en
General
-
Target
MSTeamsSetup.exe
-
Size
1.4MB
-
MD5
7ee6219d0f497752aa7f1c129ca50bc1
-
SHA1
68bec1b6c594b6bdaf74b4062e4b3c477aa6a1ad
-
SHA256
c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0
-
SHA512
a91760aeb550d5683ce0222f40addb3507b79ccf10199c6c5a4773d3b3fc0bcf874360202bfcdca0871da5efe94b94b24fecb72dd5ebeca02939928c5a534094
-
SSDEEP
24576:E9Yu8GgnSf7uw7J8qyKD0OIqKT//pIgl6A5H2TuDWkd3WZZ7SuW42C7Z32o3:zGMo7NSK/Iqwp/6A5Wgz501SuWYZ3V
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2084 Update.exe -
Loads dropped DLL 1 IoCs
pid Process 2340 MSTeamsSetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSTeamsSetup.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2076 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2084 Update.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2084 2340 MSTeamsSetup.exe 30 PID 2340 wrote to memory of 2084 2340 MSTeamsSetup.exe 30 PID 2340 wrote to memory of 2084 2340 MSTeamsSetup.exe 30 PID 2340 wrote to memory of 2084 2340 MSTeamsSetup.exe 30 PID 2340 wrote to memory of 2084 2340 MSTeamsSetup.exe 30 PID 2340 wrote to memory of 2084 2340 MSTeamsSetup.exe 30 PID 2340 wrote to memory of 2084 2340 MSTeamsSetup.exe 30 PID 2340 wrote to memory of 2076 2340 MSTeamsSetup.exe 32 PID 2340 wrote to memory of 2076 2340 MSTeamsSetup.exe 32 PID 2340 wrote to memory of 2076 2340 MSTeamsSetup.exe 32 PID 2340 wrote to memory of 2076 2340 MSTeamsSetup.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe"C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup.exe --bootstrapperMode2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53ddbb9c0fd8318ae6ca8e64a1ba0a126
SHA181c94e72c849495d6a1ec2bde729df15ac124f18
SHA256e78143f87f8bc5142aad0a8c4812675e9066a0508886a255883d11e27e1be7df
SHA512a09ea6e4b267e7cc9063deb3253c8e48bccd8424ec6c9180fa2d9b9242c8286c5d82105ef9f09f7d91849971679c6775e4a57228911d25f34dc327b9e392bd83
-
Filesize
610B
MD534b2a3afe7ae8ad113f54e64d2f62111
SHA1c0afa4727bab161b777363fd49225d7ef084c16e
SHA2561578d085af8165ef971cbb88d327e07c2b82c34eff379fcb2ab030a188b2981d
SHA512d6a8a70603157f0cf4b4d2a2992b8082d30e35aab7e47f973e8bde5841dc5528f7a62a8d3889093343f0a806a1161965126140345ffcb4cb0dbd36e56f155720
-
Filesize
2.5MB
MD5b690b2420b21107e633b4e325768c1d0
SHA18f3faaab9eb83af7eb1c9963230e5980642c1dfb
SHA2561f2a34f84b7f4171bcd0d40c80acee8aef0d9dc3529deb3e372bae180f571c14
SHA51264b900fb5cefb8dec747c768061ea95d4ae2202127ae41cad46a59ab5e5cdfaaa78743d6383241a124e3ee4e2015566eb8f05285e16c12669745e23d293c90f6