Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2025, 16:35

General

  • Target

    bin2local/bin/ControlzEx.pdb

  • Size

    685KB

  • MD5

    95ad9dc53d104d709ee179d85ce83def

  • SHA1

    c7bed5d7fe6421c547c4cbde7c986984cd6aea21

  • SHA256

    b46feb5b41a16f6dcf37001f5775ba59a1e4cf9eb7d0665f1724b917c30a3983

  • SHA512

    3e5593f2d573b3a5bfa05408d409c2d562c90dd700b98b9c8a63454249ed69f71add820e1a0ec71b009ba05ce4f438683ec5e0ae99a27be2df87af66e11b5981

  • SSDEEP

    6144:0pr12iW1CzyRJywCHyL/+/d5Zbk3RCLhr2a9fucQaVK60RyOKpvDi2jf5sxpr12d:0ph12XyhH8pxbp60cpcph12XyhHNr

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\bin2local\bin\ControlzEx.pdb
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bin2local\bin\ControlzEx.pdb
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bin2local\bin\ControlzEx.pdb"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    298e7f3eac7947e705f213e2e9bb982d

    SHA1

    4844b75062d678bf47cf58e2c6d672d089e24532

    SHA256

    94d818249b48837c1472551cd9c08a29e1364cb6db121d763e897872a34270cd

    SHA512

    e83eb76f1cd7d818b3f063c1b0d10cf8329eb516029cafd9072f325d77ee43a3099ceba73ebc516f45a1567508e5301e2ec541e7cc17cf01b2eddc972c9737f1