Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
183s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 04:02
Static task
static1
Behavioral task
behavioral1
Sample
Full Install.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Full Install.exe
Resource
win10v2004-20220812-en
General
-
Target
Full Install.exe
-
Size
1.3MB
-
MD5
70364fa4e186b91a1782ac29a13bb3ad
-
SHA1
1f4c9fb938ac2d78a8a3ea091bd9395e962d5589
-
SHA256
72592d99f4521b4cc9014bc2a361e84382de2e12610aa32ea5927a6d75228939
-
SHA512
d2ad64ece3371d90ff140d9ed27ffcfa93bbadd9175f7b08feaefb8e4ea9203dcf23b4f98a23fb19969c03aee85f8986096e21678eb746f9b89e4156c40a23dd
-
SSDEEP
24576:4RmJkcoQricOIQxiZY1iazQGeD9EMuoKqFX8amJ54lkrNu/3vL:9JZoQrbTFZY1iaXs9EMb1sxL3rA3vL
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\calc.exe = "C:\\Windows\\SysWOW64\\calc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winload.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run calc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft OS = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe" calc.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F1A0BCF-CCEB-2A64-BC0D-C5274F6AE8CC} calc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F1A0BCF-CCEB-2A64-BC0D-C5274F6AE8CC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe" calc.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{3F1A0BCF-CCEB-2A64-BC0D-C5274F6AE8CC} calc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components\{3F1A0BCF-CCEB-2A64-BC0D-C5274F6AE8CC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe" calc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run calc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft OS = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe" calc.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run calc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OS = "C:\\Users\\Admin\\AppData\\Roaming\\winload.exe" calc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 904 set thread context of 948 904 Full Install.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 1832 reg.exe 740 reg.exe 1836 reg.exe 1764 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 948 calc.exe Token: SeCreateTokenPrivilege 948 calc.exe Token: SeAssignPrimaryTokenPrivilege 948 calc.exe Token: SeLockMemoryPrivilege 948 calc.exe Token: SeIncreaseQuotaPrivilege 948 calc.exe Token: SeMachineAccountPrivilege 948 calc.exe Token: SeTcbPrivilege 948 calc.exe Token: SeSecurityPrivilege 948 calc.exe Token: SeTakeOwnershipPrivilege 948 calc.exe Token: SeLoadDriverPrivilege 948 calc.exe Token: SeSystemProfilePrivilege 948 calc.exe Token: SeSystemtimePrivilege 948 calc.exe Token: SeProfSingleProcessPrivilege 948 calc.exe Token: SeIncBasePriorityPrivilege 948 calc.exe Token: SeCreatePagefilePrivilege 948 calc.exe Token: SeCreatePermanentPrivilege 948 calc.exe Token: SeBackupPrivilege 948 calc.exe Token: SeRestorePrivilege 948 calc.exe Token: SeShutdownPrivilege 948 calc.exe Token: SeDebugPrivilege 948 calc.exe Token: SeAuditPrivilege 948 calc.exe Token: SeSystemEnvironmentPrivilege 948 calc.exe Token: SeChangeNotifyPrivilege 948 calc.exe Token: SeRemoteShutdownPrivilege 948 calc.exe Token: SeUndockPrivilege 948 calc.exe Token: SeSyncAgentPrivilege 948 calc.exe Token: SeEnableDelegationPrivilege 948 calc.exe Token: SeManageVolumePrivilege 948 calc.exe Token: SeImpersonatePrivilege 948 calc.exe Token: SeCreateGlobalPrivilege 948 calc.exe Token: 31 948 calc.exe Token: 32 948 calc.exe Token: 33 948 calc.exe Token: 34 948 calc.exe Token: 35 948 calc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 948 calc.exe 948 calc.exe 948 calc.exe 948 calc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 904 wrote to memory of 948 904 Full Install.exe 28 PID 904 wrote to memory of 948 904 Full Install.exe 28 PID 904 wrote to memory of 948 904 Full Install.exe 28 PID 904 wrote to memory of 948 904 Full Install.exe 28 PID 904 wrote to memory of 948 904 Full Install.exe 28 PID 904 wrote to memory of 948 904 Full Install.exe 28 PID 948 wrote to memory of 1312 948 calc.exe 29 PID 948 wrote to memory of 1312 948 calc.exe 29 PID 948 wrote to memory of 1312 948 calc.exe 29 PID 948 wrote to memory of 1312 948 calc.exe 29 PID 948 wrote to memory of 1444 948 calc.exe 31 PID 948 wrote to memory of 1444 948 calc.exe 31 PID 948 wrote to memory of 1444 948 calc.exe 31 PID 948 wrote to memory of 1444 948 calc.exe 31 PID 948 wrote to memory of 1320 948 calc.exe 33 PID 948 wrote to memory of 1320 948 calc.exe 33 PID 948 wrote to memory of 1320 948 calc.exe 33 PID 948 wrote to memory of 1320 948 calc.exe 33 PID 948 wrote to memory of 268 948 calc.exe 35 PID 948 wrote to memory of 268 948 calc.exe 35 PID 948 wrote to memory of 268 948 calc.exe 35 PID 948 wrote to memory of 268 948 calc.exe 35 PID 1444 wrote to memory of 740 1444 cmd.exe 38 PID 1444 wrote to memory of 740 1444 cmd.exe 38 PID 1444 wrote to memory of 740 1444 cmd.exe 38 PID 1444 wrote to memory of 740 1444 cmd.exe 38 PID 1312 wrote to memory of 1832 1312 cmd.exe 37 PID 1312 wrote to memory of 1832 1312 cmd.exe 37 PID 1312 wrote to memory of 1832 1312 cmd.exe 37 PID 1312 wrote to memory of 1832 1312 cmd.exe 37 PID 1320 wrote to memory of 1836 1320 cmd.exe 39 PID 1320 wrote to memory of 1836 1320 cmd.exe 39 PID 1320 wrote to memory of 1836 1320 cmd.exe 39 PID 1320 wrote to memory of 1836 1320 cmd.exe 39 PID 268 wrote to memory of 1764 268 cmd.exe 40 PID 268 wrote to memory of 1764 268 cmd.exe 40 PID 268 wrote to memory of 1764 268 cmd.exe 40 PID 268 wrote to memory of 1764 268 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\Full Install.exe"C:\Users\Admin\AppData\Local\Temp\Full Install.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\SysWOW64\calc.exe"2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\calc.exe" /t REG_SZ /d "C:\Windows\SysWOW64\calc.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\calc.exe" /t REG_SZ /d "C:\Windows\SysWOW64\calc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winload.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winload.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winload.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winload.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1764
-
-
-