Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
143s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250211-en -
resource tags
-
submitted
14/02/2025, 10:33
General
-
Target
USB Safe.rar
-
Size
15.4MB
-
MD5
d287e12e0c59883d2b2c5d89c960a480
-
SHA1
c292c149267d83a9b3097957d0567cf0c7c882b8
-
SHA256
9188d34a4ab1316f3f5e47287a32bec55b33a56b45a4aee8a99a2fff7a95b4e6
-
SHA512
149da0498f0958527f993b075ba53e8f013169c3d91c9726b45a1c26330c7a73a85892f7cb4faa549015302194ec4f2bed88b6b30ff5b5f0cb2c5169a5e69ef1
-
SSDEEP
393216:JsqlmA1q6DjN6V9MvUi6WuNq0cPN/PGYsEFigiwYkIfgjQ:eqlt1qIja9XWuIvF/ElBDkIfGQ
Malware Config
Signatures
-
Downloads MZ/PE file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Drops desktop.ini file(s) 4 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\USB Safe.rar"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OUJGNEI1RjQtNEQwQS00RjU0LTk4RjYtMEM1MEMxMDFCNEE1fSIgdXNlcmlkPSJ7OTJDNjAyQTgtOUVBMC00NURFLTlBQUQtMjA1QUE4MDlGQUUxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTNGRkEwMEEtNTA4Ny00NjRCLUI5MEMtNzdCRDEzQjY0NzRFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjcwODQwIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5NjQ3NzYwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDkxOTg4OTgwMiIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\new\Client.exe"C:\Users\Admin\Desktop\new\Client.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\new\Client.exe"C:\Users\Admin\Desktop\new\Client.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\new\Client.exe"C:\Users\Admin\Desktop\new\Client.exe"1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.9MB
MD5d8df0c89310c5a850463acca62dac85b
SHA18a935be60e94faecb45aaa4ee3ffb5fddc63bc40
SHA256c3c0ade7602bb49a44151de1b9e4fa163dd9fb05ec0926487a4f8fe16e21f1d7
SHA512e33a7889bc0ab671a82128ac89a6dc6bcfa7b995dfdee207ea74f49ad54fee65922e5d6309dc8c2519c846291478ab4c38e2d9103e03e6bd9d785681d6728956
-
Filesize
5KB
MD5ff433372cb5501bab0b62ee0d2f2a58f
SHA1ad98f7c09a79e6b17025f11d8cf35e22c9b4bfeb
SHA256276025a415f5c3f4189da1f32630f3675cfb914f0134a9331497aa76712ceb63
SHA512d8892b553594f7972edcb18c70012a067989a17f065a282a3f9642494a67840c84bff4f291ed66931e9692ed1a96d0b92e1819993814f24149a0b6df423e15e4
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB