Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14/12/2024, 00:09

General

  • Target

    install.exe

  • Size

    57KB

  • MD5

    242b49803d0dc2c25486ab866d8516cb

  • SHA1

    8d4302a242f4e3be1678e21e9bf79cc27f123e7d

  • SHA256

    0d03931dae04b1d6cae8d3745c3aff6315e0df8c6b0bb2589fe77b50580e88f6

  • SHA512

    02ba717114ac8fe22898356403065203d719e97b6bc4ececaf849fb21e02529bf54f367bd3468103045cc63a60c77935d8efa04fec67f6d80b60e43067966577

  • SSDEEP

    768:/Y9BR4QkHgaYpYnqL6n/RwilMARtPvevxHs4gZWk:mzlkHgNxc58ARtP2xHeW

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\install.exe
    "C:\Users\Admin\AppData\Local\Temp\install.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2500
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6fb39c27-b37d-3b8b-3c8b-d27932b4cc4a}\snbus.inf" "9" "635f382f7" "000000000000056C" "WinSta0\Default" "0000000000000568" "208" "C:\Users\Admin\AppData\Local\Temp"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{0e76f59e-897e-2b48-af11-854018e08e4e} Global\{7ba2baa5-11af-4085-9bd2-a9692b1d5663} C:\Windows\System32\DriverStore\Temp\{34e7e05f-f31d-0093-6cd4-ca2de154e674}\snbus.inf
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{502d60f1-4b98-022f-bf3d-de040114142b}\snserial.inf" "9" "679e6210b" "0000000000000568" "WinSta0\Default" "000000000000055C" "208" "C:\Users\Admin\AppData\Local\Temp"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{431c85bf-426c-2b13-1e15-942c78160a5e} Global\{04601519-3395-4092-9cff-ad10771b1d19} C:\Windows\System32\DriverStore\Temp\{0672bf78-9524-0005-527f-9d5077202d58}\snserial.inf
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\{502d60f1-4b98-022f-bf3d-de040114142b}\snserial.inf

    Filesize

    1KB

    MD5

    c2aeabdadd719d5ff4097c4fe2995af7

    SHA1

    39cca12c94d4ba8aa41a6560a00b031de6899606

    SHA256

    392e836b5a9cdbba0f9b4eb8346a6c0281c134c070a40d99a2c71ad0d2362520

    SHA512

    7854dce413a860dde871d143480fc21ddbd2441516d9a913f568883aec726f0d45d5385dc2ac9fdf449babef2c72715378d683b097f869fd4f6ec6fe54281d38

  • C:\Users\Admin\AppData\Local\Temp\{6fb39c27-b37d-3b8b-3c8b-d27932b4cc4a}\snbus.inf

    Filesize

    1KB

    MD5

    96d0078ea02ed681f67d8c8e6409473c

    SHA1

    a45fad9dc80b4e74b0ec31af2187b0e4b6cfee3b

    SHA256

    3804a768e956d3f30666258972b3215b738fdd58383b8ea808d31042f4fda439

    SHA512

    e53e058248544cdbcf219130ba4ec3dce6e6885745064e8da52174490b348952b72addb7bc45625d73521fea7c290f1698adc1efeada744a8eda08f7008247b3