Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07/06/2022, 15:51
Static task
static1
Behavioral task
behavioral1
Sample
1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe
-
Size
372KB
-
MD5
2d0f0ce93e4b45065dbf412d6c99fd63
-
SHA1
a586bd6a4a602a7805f61b32170e6dc27d14b5a1
-
SHA256
1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b
-
SHA512
7aa837aa7ee32d8bd76c6461db3e1a9a3d7e681fca7bd8146566fbfa6108656034cfd1a7abbd6b2ab4dcc6a41de2b491655bf333a08a241f51c495fb75e6d236
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{765C965F-39F8-4B4B-8BCA-6C0E66504686}\\f5ea51da.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\f5ea51da = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{765C965F-39F8-4B4B-8BCA-6C0E66504686}\\f5ea51da.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx Process not Found -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1564 set thread context of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 1352 2008 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe -
Suspicious behavior: MapViewOfSection 25 IoCs
pid Process 904 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 904 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe 2008 svchost.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeDebugPrivilege 2008 svchost.exe Token: SeShutdownPrivilege 1280 Process not Found Token: SeAuditPrivilege 884 Process not Found -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 756 Process not Found -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 1564 wrote to memory of 904 1564 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 27 PID 904 wrote to memory of 2008 904 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 28 PID 904 wrote to memory of 2008 904 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 28 PID 904 wrote to memory of 2008 904 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 28 PID 904 wrote to memory of 2008 904 1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe 28 PID 376 wrote to memory of 1352 376 Process not Found 29 PID 376 wrote to memory of 1352 376 Process not Found 29 PID 376 wrote to memory of 1352 376 Process not Found 29 PID 376 wrote to memory of 1352 376 Process not Found 29 PID 2008 wrote to memory of 1352 2008 svchost.exe 29 PID 2008 wrote to memory of 1352 2008 svchost.exe 29 PID 2008 wrote to memory of 1352 2008 svchost.exe 29 PID 2008 wrote to memory of 1352 2008 svchost.exe 29 PID 376 wrote to memory of 1352 376 Process not Found 29 PID 376 wrote to memory of 1352 376 Process not Found 29 PID 376 wrote to memory of 1352 376 Process not Found 29 PID 376 wrote to memory of 1352 376 Process not Found 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe"C:\Users\Admin\AppData\Local\Temp\1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exeC:\Users\Admin\AppData\Local\Temp\1c59a3704077758f0798e37357b278e7dae15fd122d64f1e42d5050821e0176b.exe2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 4444⤵
- Program crash
PID:1352
-
-
-