Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13/12/2024, 15:34

General

  • Target

    DEMANDA LABORAL JURIDICA 165161.zip

  • Size

    6.1MB

  • MD5

    c1aa4fa22d173ced8f486a204a1ae7ba

  • SHA1

    cb5ebbb275be1aba5b876d97160ce3c707ac4d18

  • SHA256

    6be3ef4c945c9c46527b9cdf595a5810753b4b39bacbc6b078d0153fc91d7b85

  • SHA512

    2bae65ffa4dc001784e5de6858365ef441813f83dd2250aa644d65cfb91a73bc8139be4ede6105000d0a5f1d9a9c95e33cde17b49eeb291e9671a85948fdad08

  • SSDEEP

    196608:RXM1Rlx6A5LEqEoHkriDlKsvYshOXXz1YB:RX6Rb6UgqbEriDlNhOHpYB

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL JURIDICA 165161.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3012
  • C:\Users\Admin\Desktop\1 DEMANDA LABORAL JURIDICA 321321.exe
    "C:\Users\Admin\Desktop\1 DEMANDA LABORAL JURIDICA 321321.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn "G7EJdZoaViCVgUwk" /tr "C:\Users\Admin\AppData\Roaming\1 DEMANDA LABORAL JURIDICA 321321.exe" /sc onlogon /rl highest /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\system32\schtasks.exe
        schtasks /create /tn "G7EJdZoaViCVgUwk" /tr "C:\Users\Admin\AppData\Roaming\1 DEMANDA LABORAL JURIDICA 321321.exe" /sc onlogon /rl highest /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2476
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe

    Filesize

    481KB

    MD5

    34e7858467bd37a5fe1b75dcd73bdf19

    SHA1

    60677610b2c666cca1c212b66441231cea964434

    SHA256

    11cdb65e5b007e249a51a7410da0653ec6c6b28f68b33e1de88ac3989dd745d6

    SHA512

    bb6ea5a30f6060dd68ef51a3cfcff76a20337155eb3ac95a0fdd19240782d07d947046788833983483908728f7f119fc858930ba9d80b823f7e3582054824ac9

  • C:\Users\Admin\Desktop\CiscoSparkLauncher.dll

    Filesize

    2.6MB

    MD5

    e2e01305e938ea378a88658d81c0917f

    SHA1

    6b3dc7e13347f6fadadc2dbac7d3a3927d9e2aa6

    SHA256

    29c3c48f4dc84e7179881bc3767546878b2db89d418372f687edbd4a72ef0989

    SHA512

    5620ea58d2a7da0fe5d352ea1fe82e76ed84c31b2ae97b28a3ab3b25268f21c0a8eef8ca7baa05ab0f2c80a8125fc7e2441065eda11259b1f636be7b3d6c202d

  • C:\Users\Admin\Desktop\VERSION.dll

    Filesize

    6.8MB

    MD5

    faa78a3123a7f231de7152bb15c7fa02

    SHA1

    c9562133f7630db6a84f4daf56b468c5b0891704

    SHA256

    e68265f0d7012e600dac0a25190c6bf4c65689165cb2cb31a60a37baad21064f

    SHA512

    622f9da91e1f4995136515120c6a2f5e7f43eb2007467d2633b7391c2777985b2557647ec7753c28d34014d5e83bc979298c245f2b3d6562e668d5c2e221faa4

  • \Users\Admin\Desktop\1 DEMANDA LABORAL JURIDICA 321321.exe

    Filesize

    121KB

    MD5

    9c521a90653df5d1efbd0cea12318863

    SHA1

    ec2afaf10b78dabfead9e9e485d454789c244188

    SHA256

    85bcfc9de06bd0751245ad882f7e2141f340cdedefcaefb8deabbc0792088a58

    SHA512

    d1bbb5e07e7df5fe6da9786ecee06c0dfd9e46067de48a139323aa045f81139b78404c4f3f77b1f6f58c3b11d1edf88d0c06ad42fcf7482436367f2444e6152e

  • memory/3000-14-0x0000000002780000-0x0000000002D8B000-memory.dmp

    Filesize

    6.0MB

  • memory/3000-38-0x0000000068840000-0x0000000068F17000-memory.dmp

    Filesize

    6.8MB