Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 19:47
Static task
static1
Behavioral task
behavioral1
Sample
b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe
Resource
win7-20220812-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe
-
Size
107KB
-
MD5
87af379887e7e989e7e62d63138d0e89
-
SHA1
0d6936f8ade1f4b512d561b213ba4061ce4a8ef3
-
SHA256
b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36
-
SHA512
2255ad486fe198d7294cc443a4ac315b6ae6dcf54f03439a72a6f4b0d36286396df2f34ab0c1ac3ab1ce370a188a9f32518de01f3362afc31504d4ee0f3e8f6d
-
SSDEEP
1536:bpqFQnVOw66Txr2Lx0cMk7ZQejq0QnqUyDDkgJYIkgX4/i+VwFuSsI:cQV71A0/k7y6KqXPk6Y9E49w8SsI
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\olinkinfo.dll b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe File opened for modification C:\Windows\olinkinfo.dll b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe File created C:\WINDOWS\LINKINFO.DLL b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe File created C:\WINDOWS\SFDLL.DLL b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1348 b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeShutdownPrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe Token: 33 980 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 980 AUDIODG.EXE Token: 33 980 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 980 AUDIODG.EXE Token: SeShutdownPrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe Token: SeShutdownPrivilege 1560 explorer.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe 1560 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1348 wrote to memory of 1560 1348 b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe 26 PID 1348 wrote to memory of 1560 1348 b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe 26 PID 1348 wrote to memory of 1560 1348 b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe 26 PID 1348 wrote to memory of 1560 1348 b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe"C:\Users\Admin\AppData\Local\Temp\b60a5cfa5e8d10172e6867b0382f962ad7b421be6376d77adf3688da10de7f36.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1560
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5281⤵
- Suspicious use of AdjustPrivilegeToken
PID:980
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD51387ce50932aa43e069f3dd078152853
SHA12842272cff673d0bbaedb7eaac64eec798b7a5d6
SHA25649b5ebdb5244ed62c0ea91822e8faedab799edd85e00aa5119354a6946f208cb
SHA51213985d501e75ed2b718c7f9ed3ecee239628495d1e8017c147c4447cb489da290526eca709acb8236a4991854ab41ecd62970077fc1f84926dbee3ae4995b698