Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe
Resource
win10v2004-20220812-en
General
-
Target
96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe
-
Size
160KB
-
MD5
836aa5038f6147d3fdf74a451241bf50
-
SHA1
c2ef8d7e5656f0ae295e02be47571258d7e0edc1
-
SHA256
96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718
-
SHA512
d15c6eb906afa219f0768bcb2f134040ea491402e079f6ee628e8e0aba0c6bbb63ff3f36aa89ca891b1a3b058eebec240579dfcf6d5bc6aa53deb215d98d090b
-
SSDEEP
1536:F+gDbKlmyJKz5jR7766dxocisPfDsCUjhe+SPBp9oEoTTLgY++++1sY+++++ZDdM:FxbkuVbvLn7Uj3
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\64306 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msciqial.scr" svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 1380 xplorer.exe 1188 xplorer.exe 996 xplorer.exe -
resource yara_rule behavioral1/memory/1932-57-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1932-59-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1932-60-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1932-63-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1932-65-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1932-68-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1932-101-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1188-102-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1188-109-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\xplorer = "C:\\Windows\\xplorer\\xplorer.exe" reg.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xplorer.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum xplorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 xplorer.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1880 set thread context of 1932 1880 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 27 PID 1380 set thread context of 1188 1380 xplorer.exe 32 PID 1380 set thread context of 996 1380 xplorer.exe 33 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\msciqial.scr svchost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\xplorer\xplorer.exe 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe File opened for modification C:\Windows\xplorer\xplorer.exe 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe File opened for modification C:\Windows\xplorer\xplorer.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 996 xplorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 996 xplorer.exe 996 xplorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe Token: SeDebugPrivilege 1188 xplorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1880 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 1380 xplorer.exe 1188 xplorer.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1880 wrote to memory of 1932 1880 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 27 PID 1880 wrote to memory of 1932 1880 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 27 PID 1880 wrote to memory of 1932 1880 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 27 PID 1880 wrote to memory of 1932 1880 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 27 PID 1880 wrote to memory of 1932 1880 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 27 PID 1880 wrote to memory of 1932 1880 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 27 PID 1880 wrote to memory of 1932 1880 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 27 PID 1880 wrote to memory of 1932 1880 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 27 PID 1932 wrote to memory of 1940 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 28 PID 1932 wrote to memory of 1940 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 28 PID 1932 wrote to memory of 1940 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 28 PID 1932 wrote to memory of 1940 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 28 PID 1940 wrote to memory of 1720 1940 cmd.exe 30 PID 1940 wrote to memory of 1720 1940 cmd.exe 30 PID 1940 wrote to memory of 1720 1940 cmd.exe 30 PID 1940 wrote to memory of 1720 1940 cmd.exe 30 PID 1932 wrote to memory of 1380 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 31 PID 1932 wrote to memory of 1380 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 31 PID 1932 wrote to memory of 1380 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 31 PID 1932 wrote to memory of 1380 1932 96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe 31 PID 1380 wrote to memory of 1188 1380 xplorer.exe 32 PID 1380 wrote to memory of 1188 1380 xplorer.exe 32 PID 1380 wrote to memory of 1188 1380 xplorer.exe 32 PID 1380 wrote to memory of 1188 1380 xplorer.exe 32 PID 1380 wrote to memory of 1188 1380 xplorer.exe 32 PID 1380 wrote to memory of 1188 1380 xplorer.exe 32 PID 1380 wrote to memory of 1188 1380 xplorer.exe 32 PID 1380 wrote to memory of 1188 1380 xplorer.exe 32 PID 1380 wrote to memory of 996 1380 xplorer.exe 33 PID 1380 wrote to memory of 996 1380 xplorer.exe 33 PID 1380 wrote to memory of 996 1380 xplorer.exe 33 PID 1380 wrote to memory of 996 1380 xplorer.exe 33 PID 1380 wrote to memory of 996 1380 xplorer.exe 33 PID 1380 wrote to memory of 996 1380 xplorer.exe 33 PID 1380 wrote to memory of 996 1380 xplorer.exe 33 PID 996 wrote to memory of 1672 996 xplorer.exe 34 PID 996 wrote to memory of 1672 996 xplorer.exe 34 PID 996 wrote to memory of 1672 996 xplorer.exe 34 PID 996 wrote to memory of 1672 996 xplorer.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe"C:\Users\Admin\AppData\Local\Temp\96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe"C:\Users\Admin\AppData\Local\Temp\96b914882817d25e1490e774f163bd79e6116358f2e779fd809dc2c534eb3718.exe"2⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QDHDA.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f4⤵
- Adds Run key to start application
PID:1720
-
-
-
C:\Windows\xplorer\xplorer.exe"C:\Windows\xplorer\xplorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\xplorer\xplorer.exe"C:\Windows\xplorer\xplorer.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1188
-
-
C:\Windows\xplorer\xplorer.exe"C:\Windows\xplorer\xplorer.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1672
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD54e6e99d38b1264af2b53a68c7cd6d648
SHA155ffe17732d1d9c539d702a1311ef9674fe7b3cf
SHA256168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0
SHA512bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d
-
Filesize
160KB
MD53d654c651354cf34ae46e943535d569a
SHA15ec37de0b88899fd482914c5be301d6ca1d84608
SHA256e9c59e4570babca3b3f54b9387a633ea32171d39f2bd492b88f8914c143dee4b
SHA5125ac689fc0bc5ff7010928a56d003e8abf67784118905f8403d423f9e103e84630763f239e317b0f36d8324a58f0d189090ac76915743d2edf86329f32448421e
-
Filesize
160KB
MD53d654c651354cf34ae46e943535d569a
SHA15ec37de0b88899fd482914c5be301d6ca1d84608
SHA256e9c59e4570babca3b3f54b9387a633ea32171d39f2bd492b88f8914c143dee4b
SHA5125ac689fc0bc5ff7010928a56d003e8abf67784118905f8403d423f9e103e84630763f239e317b0f36d8324a58f0d189090ac76915743d2edf86329f32448421e
-
Filesize
160KB
MD53d654c651354cf34ae46e943535d569a
SHA15ec37de0b88899fd482914c5be301d6ca1d84608
SHA256e9c59e4570babca3b3f54b9387a633ea32171d39f2bd492b88f8914c143dee4b
SHA5125ac689fc0bc5ff7010928a56d003e8abf67784118905f8403d423f9e103e84630763f239e317b0f36d8324a58f0d189090ac76915743d2edf86329f32448421e
-
Filesize
160KB
MD53d654c651354cf34ae46e943535d569a
SHA15ec37de0b88899fd482914c5be301d6ca1d84608
SHA256e9c59e4570babca3b3f54b9387a633ea32171d39f2bd492b88f8914c143dee4b
SHA5125ac689fc0bc5ff7010928a56d003e8abf67784118905f8403d423f9e103e84630763f239e317b0f36d8324a58f0d189090ac76915743d2edf86329f32448421e
-
Filesize
160KB
MD53d654c651354cf34ae46e943535d569a
SHA15ec37de0b88899fd482914c5be301d6ca1d84608
SHA256e9c59e4570babca3b3f54b9387a633ea32171d39f2bd492b88f8914c143dee4b
SHA5125ac689fc0bc5ff7010928a56d003e8abf67784118905f8403d423f9e103e84630763f239e317b0f36d8324a58f0d189090ac76915743d2edf86329f32448421e
-
Filesize
160KB
MD53d654c651354cf34ae46e943535d569a
SHA15ec37de0b88899fd482914c5be301d6ca1d84608
SHA256e9c59e4570babca3b3f54b9387a633ea32171d39f2bd492b88f8914c143dee4b
SHA5125ac689fc0bc5ff7010928a56d003e8abf67784118905f8403d423f9e103e84630763f239e317b0f36d8324a58f0d189090ac76915743d2edf86329f32448421e
-
Filesize
160KB
MD53d654c651354cf34ae46e943535d569a
SHA15ec37de0b88899fd482914c5be301d6ca1d84608
SHA256e9c59e4570babca3b3f54b9387a633ea32171d39f2bd492b88f8914c143dee4b
SHA5125ac689fc0bc5ff7010928a56d003e8abf67784118905f8403d423f9e103e84630763f239e317b0f36d8324a58f0d189090ac76915743d2edf86329f32448421e
-
Filesize
160KB
MD53d654c651354cf34ae46e943535d569a
SHA15ec37de0b88899fd482914c5be301d6ca1d84608
SHA256e9c59e4570babca3b3f54b9387a633ea32171d39f2bd492b88f8914c143dee4b
SHA5125ac689fc0bc5ff7010928a56d003e8abf67784118905f8403d423f9e103e84630763f239e317b0f36d8324a58f0d189090ac76915743d2edf86329f32448421e