Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/10/2022, 23:41
Static task
static1
Behavioral task
behavioral1
Sample
0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe
-
Size
381KB
-
MD5
026967df99c1e939598519cfc3dfb171
-
SHA1
94810d1e09daa858b37bc21922c61ba1469979b2
-
SHA256
0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316
-
SHA512
8a0dc0e98aded5c069363d2cbba49b26a07c90beba06b2bb45d7431fb456e3709ccd05b2b6f0ddf29257ff67171c9381f254c0b297e0732b178114488c8d2729
-
SSDEEP
6144:AIODqYV/MzkO8RxRltwvwv++euoRqnhmXjyZroNJQsdWdc+hdhQLV:AIO2gJl+q+TRDTyZMctCR
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1676 set thread context of 948 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 30 PID 1676 set thread context of 1284 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 35 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8EEFD501-4207-11ED-AA01-6AB3F8C7EA51} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371448568" iexplore.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 948 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 948 iexplore.exe 948 iexplore.exe 888 IEXPLORE.EXE 888 IEXPLORE.EXE 888 IEXPLORE.EXE 888 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1228 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 28 PID 1676 wrote to memory of 1228 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 28 PID 1676 wrote to memory of 1228 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 28 PID 1676 wrote to memory of 1228 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 28 PID 1676 wrote to memory of 948 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 30 PID 1676 wrote to memory of 948 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 30 PID 1676 wrote to memory of 948 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 30 PID 1676 wrote to memory of 948 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 30 PID 1676 wrote to memory of 948 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 30 PID 1676 wrote to memory of 948 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 30 PID 1676 wrote to memory of 948 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 30 PID 1676 wrote to memory of 948 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 30 PID 1228 wrote to memory of 828 1228 cmd.exe 31 PID 1228 wrote to memory of 828 1228 cmd.exe 31 PID 1228 wrote to memory of 828 1228 cmd.exe 31 PID 1228 wrote to memory of 828 1228 cmd.exe 31 PID 828 wrote to memory of 1844 828 net.exe 32 PID 828 wrote to memory of 1844 828 net.exe 32 PID 828 wrote to memory of 1844 828 net.exe 32 PID 828 wrote to memory of 1844 828 net.exe 32 PID 948 wrote to memory of 888 948 iexplore.exe 34 PID 948 wrote to memory of 888 948 iexplore.exe 34 PID 948 wrote to memory of 888 948 iexplore.exe 34 PID 948 wrote to memory of 888 948 iexplore.exe 34 PID 1676 wrote to memory of 1284 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 35 PID 1676 wrote to memory of 1284 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 35 PID 1676 wrote to memory of 1284 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 35 PID 1676 wrote to memory of 1284 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 35 PID 1676 wrote to memory of 1284 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 35 PID 1676 wrote to memory of 1284 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 35 PID 1676 wrote to memory of 1284 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 35 PID 1676 wrote to memory of 1284 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 35 PID 1676 wrote to memory of 1284 1676 0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe"C:\Users\Admin\AppData\Local\Temp\0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵PID:1844
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:888
-
-
-
C:\Users\Admin\AppData\Local\Temp\0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exeC:\Users\Admin\AppData\Local\Temp\0bde70cdea5b77fd8f0b234b0aa6cd2dbf0ce533f2e476665d6ed3bec1331316.exe2⤵PID:1284
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
608B
MD5adf03ee4330df1dbfa7f77912ade4066
SHA11ddb8428a65371265066c1a5f021c7fa37aa29cd
SHA256b4229af6efe0277f2f600f46899c1d4be07f5cf4937abfba2a56f0cbaf6249c7
SHA512c9046c60c928a0a481856d0a44777a8008b7eeec7fde251a010ed250eae0fa417fe2ed203cc79597fc62b7c479550d24f4ffe5ceaaa18dab1d41ffffca71e99e