Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
Resource
win10v2004-20220812-en
General
-
Target
3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe
-
Size
932KB
-
MD5
9390a7a07408c32c5996f5ed706c2fb8
-
SHA1
0e234904d75e4d432199426bbc812bb55253a540
-
SHA256
3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae
-
SHA512
9b509242a6ea2a00ac8b8462bb0fc1862e75be805651674ad1be09d6b38a3cf4f486246be10034936c2cc69ff8f7b7e28decdeafc4c819fbdd5b92cd58f21ec3
-
SSDEEP
3072:yvxRc7U/tY6nCyILZ7TNlPgYGIqMWWAo2U8uCGGmj/h8RwmoCGOs7hem7TDXL7iX:yyPfMNRPlM0Q1hU
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe:*:Enabled:3ASFH" 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe -
Executes dropped EXE 2 IoCs
pid Process 1132 svchost.exe 1144 svchost.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 552 netsh.exe 1536 netsh.exe -
Loads dropped DLL 2 IoCs
pid Process 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3ASFH = "svchost.exe" 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\3ASFH = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1204 set thread context of 1776 1204 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 27 PID 1132 set thread context of 1144 1132 svchost.exe 31 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\icq\shared folder\Steam Account Stealer.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\emule\incoming\Kaspersky 2010 Full Suite Keygen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\kazaa lite\my shared folder\Kaspersky Internet Security Keygen.exe svchost.exe File created C:\Program Files (x86)\kazaa lite k++\my shared folder\Photoshop Crack.exe svchost.exe File created C:\Program Files (x86)\edonkey2000\incoming\AOL Hacker 2009.exe svchost.exe File created C:\Program Files (x86)\edonkey2000\incoming\Photoshop Crack.exe svchost.exe File created C:\Program Files (x86)\limewire\shared\Adobe Keygen.exe svchost.exe File created C:\Program Files (x86)\icq\shared folder\Microsoft Visual C++ 2008 KeyGen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\edonkey2000\incoming\Microsoft Visual Studio 2008 KeyGen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\limewire\shared\Norton Internet Security 2010 Keygen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\kazaa lite\my shared folder\Limewire Pro Downloader.exe svchost.exe File created C:\Program Files (x86)\edonkey2000\incoming\YIM HAcker 2009.exe svchost.exe File created C:\Program Files (x86)\kazaa\my shared folder\WOW Account Cracker.exe svchost.exe File created C:\Program Files (x86)\bearshare\shared\Counter-Strike Source KeyGen.exe svchost.exe File created C:\Program Files (x86)\emule\incoming\DeadSpace KeyGen.exe svchost.exe File created C:\Program Files (x86)\winmx\shared\YIM HAcker 2008.exe svchost.exe File created C:\Program Files (x86)\kazaa lite k++\my shared folder\Myspace Attack.exe svchost.exe File created C:\Program Files (x86)\icq\shared folder\Windows 2008 Server KeyGen.exe svchost.exe File created C:\Program Files (x86)\bearshare\shared\Myspace Cracker.exe svchost.exe File created C:\Program Files (x86)\kazaa lite\my shared folder\Adobe Photoshop Keygen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\kazaa lite k++\my shared folder\DivX Pro KeyGen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\grokster\my grokster\WOW Account Cracker.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\tesla\files\Kaspersky Internet Security Keygen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\winmx\shared\Partition Magic 8 Full package.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\tesla\files\YIM HAcker 2008.exe svchost.exe File created C:\Program Files (x86)\edonkey2000\incoming\Nod32 Antivirus Keygen.exe svchost.exe File created C:\Program Files (x86)\winmx\shared\Nod32 Internet Security Keygen.exe svchost.exe File created C:\Program Files (x86)\emule\incoming\Movie Maker Keygen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\emule\incoming\RuneScape 2009 - Newest Exploits.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\winmx\shared\Limewire Pro Downloader.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\kazaa\my shared folder\Avira Internet Security 2010 Keygen.exe svchost.exe File created C:\Program Files (x86)\edonkey2000\incoming\Windows XP Media Center Keygen.exe svchost.exe File created C:\Program Files (x86)\bearshare\shared\Microsoft Visual C++ 2008 KeyGen.exe svchost.exe File created C:\Program Files (x86)\kazaa lite\my shared folder\PhotoShop Keygen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\kazaa lite k++\my shared folder\YIM HAcker 2009.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\icq\shared folder\Microsoft Visual Basic 2008 KeyGen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\morpheus\my shared folder\RuneScape Gold Exploit.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\morpheus\my shared folder\Adobe Photoshop CS3 Keygen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\kazaa lite k++\my shared folder\Adobe Keygen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\grokster\my grokster\RuneScape Gold Exploit.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\emule\incoming\Windows XP Media Center Keygen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\icq\shared folder\Myspace Cracker.exe svchost.exe File created C:\Program Files (x86)\emule\incoming\Kaspersky Internet Security Keygen.exe svchost.exe File created C:\Program Files (x86)\grokster\my grokster\Photoshop Crack.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\edonkey2000\incoming\Avira Internet Security 2010 Keygen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\tesla\files\RuneScape 2009 - Newest Exploits.exe svchost.exe File created C:\Program Files (x86)\kazaa\my shared folder\RuneScape Cracker.exe svchost.exe File created C:\Program Files (x86)\kazaa lite k++\my shared folder\PhotoShop Keygen.exe svchost.exe File created C:\Program Files (x86)\emule\incoming\Microsoft Visual Basic 2008 KeyGen.exe svchost.exe File created C:\Program Files (x86)\tesla\files\Windows XP Media Center Keygen.exe svchost.exe File created C:\Program Files (x86)\emule\incoming\Myspace Attack.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\morpheus\my shared folder\Adobe Photoshop Crack.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\limewire\shared\Virus Generator.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\edonkey2000\incoming\Adobe Photoshop CS3 Keygen.exe svchost.exe File created C:\Program Files (x86)\emule\incoming\Microsoft Visual C++ 6 KeyGen.exe svchost.exe File created C:\Program Files (x86)\edonkey2000\incoming\Tcpip Patch.exe svchost.exe File created C:\Program Files (x86)\emule\incoming\Myspace Attack.exe svchost.exe File created C:\Program Files (x86)\tesla\files\Myspace Cracker.exe svchost.exe File created C:\Program Files (x86)\kazaa lite k++\my shared folder\Microsoft Visual Studio 2008 KeyGen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe File created C:\Program Files (x86)\kazaa\my shared folder\TuneUp 2010 Keygen.exe svchost.exe File created C:\Program Files (x86)\kazaa\my shared folder\Virus Generator.exe svchost.exe File created C:\Program Files (x86)\kazaa lite\my shared folder\Myspace Attack.exe svchost.exe File created C:\Program Files (x86)\bearshare\shared\RuneScape Cracker.exe svchost.exe File created C:\Program Files (x86)\bearshare\shared\Microsoft Visual Studio 2008 KeyGen.exe 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1204 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 1132 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1776 1204 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 27 PID 1204 wrote to memory of 1776 1204 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 27 PID 1204 wrote to memory of 1776 1204 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 27 PID 1204 wrote to memory of 1776 1204 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 27 PID 1204 wrote to memory of 1776 1204 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 27 PID 1204 wrote to memory of 1776 1204 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 27 PID 1204 wrote to memory of 1776 1204 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 27 PID 1204 wrote to memory of 1776 1204 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 27 PID 1204 wrote to memory of 1776 1204 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 27 PID 1776 wrote to memory of 552 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 28 PID 1776 wrote to memory of 552 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 28 PID 1776 wrote to memory of 552 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 28 PID 1776 wrote to memory of 552 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 28 PID 1776 wrote to memory of 1536 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 29 PID 1776 wrote to memory of 1536 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 29 PID 1776 wrote to memory of 1536 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 29 PID 1776 wrote to memory of 1536 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 29 PID 1776 wrote to memory of 1132 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 30 PID 1776 wrote to memory of 1132 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 30 PID 1776 wrote to memory of 1132 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 30 PID 1776 wrote to memory of 1132 1776 3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe 30 PID 1132 wrote to memory of 1144 1132 svchost.exe 31 PID 1132 wrote to memory of 1144 1132 svchost.exe 31 PID 1132 wrote to memory of 1144 1132 svchost.exe 31 PID 1132 wrote to memory of 1144 1132 svchost.exe 31 PID 1132 wrote to memory of 1144 1132 svchost.exe 31 PID 1132 wrote to memory of 1144 1132 svchost.exe 31 PID 1132 wrote to memory of 1144 1132 svchost.exe 31 PID 1132 wrote to memory of 1144 1132 svchost.exe 31 PID 1132 wrote to memory of 1144 1132 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe"C:\Users\Admin\AppData\Local\Temp\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe"C:\Users\Admin\AppData\Local\Temp\3ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae.exe"2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram 1.exe 1 ENABLE3⤵
- Modifies Windows Firewall
PID:552
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram 1.exe 1 ENABLE3⤵
- Modifies Windows Firewall
PID:1536
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1144
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
932KB
MD59390a7a07408c32c5996f5ed706c2fb8
SHA10e234904d75e4d432199426bbc812bb55253a540
SHA2563ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae
SHA5129b509242a6ea2a00ac8b8462bb0fc1862e75be805651674ad1be09d6b38a3cf4f486246be10034936c2cc69ff8f7b7e28decdeafc4c819fbdd5b92cd58f21ec3
-
Filesize
932KB
MD59390a7a07408c32c5996f5ed706c2fb8
SHA10e234904d75e4d432199426bbc812bb55253a540
SHA2563ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae
SHA5129b509242a6ea2a00ac8b8462bb0fc1862e75be805651674ad1be09d6b38a3cf4f486246be10034936c2cc69ff8f7b7e28decdeafc4c819fbdd5b92cd58f21ec3
-
Filesize
932KB
MD59390a7a07408c32c5996f5ed706c2fb8
SHA10e234904d75e4d432199426bbc812bb55253a540
SHA2563ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae
SHA5129b509242a6ea2a00ac8b8462bb0fc1862e75be805651674ad1be09d6b38a3cf4f486246be10034936c2cc69ff8f7b7e28decdeafc4c819fbdd5b92cd58f21ec3
-
Filesize
932KB
MD59390a7a07408c32c5996f5ed706c2fb8
SHA10e234904d75e4d432199426bbc812bb55253a540
SHA2563ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae
SHA5129b509242a6ea2a00ac8b8462bb0fc1862e75be805651674ad1be09d6b38a3cf4f486246be10034936c2cc69ff8f7b7e28decdeafc4c819fbdd5b92cd58f21ec3
-
Filesize
932KB
MD59390a7a07408c32c5996f5ed706c2fb8
SHA10e234904d75e4d432199426bbc812bb55253a540
SHA2563ac9e67360ec258e374581b9e60d3e82f59b29fcefc58edf8877f14f996416ae
SHA5129b509242a6ea2a00ac8b8462bb0fc1862e75be805651674ad1be09d6b38a3cf4f486246be10034936c2cc69ff8f7b7e28decdeafc4c819fbdd5b92cd58f21ec3