Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/11/2022, 21:39
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
811KB
-
MD5
cc25b34fae0fab4310a268da338a6fca
-
SHA1
54ae3e4451557295cefc0cad7685ba223a66ef29
-
SHA256
1c4b01e1cc2b754ed518f940a1ac36d0b41a6b2ef0699679d970ebaadcc42446
-
SHA512
39a52578f9e21cf78b7be5bf5447a677110c407b4e8b05aec17fd43c8ad1afc15f1c0c4825bd5e82abae9ec1859ccdf4ef47290feb2189085848142454dc519b
-
SSDEEP
12288:5zOf/G5jWDiMB00nwVzMmd9CRnm1cNj9KHhShnKjxazKes7H:5yXIjaFLwRMmWm1cNh6hShKjxaq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1736 Actively.exe.pif -
Loads dropped DLL 1 IoCs
pid Process 1768 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1000 tasklist.exe 452 tasklist.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1780 PING.EXE 1452 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1736 Actively.exe.pif 1736 Actively.exe.pif 1736 Actively.exe.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1000 tasklist.exe Token: SeDebugPrivilege 452 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1736 Actively.exe.pif 1736 Actively.exe.pif 1736 Actively.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1736 Actively.exe.pif 1736 Actively.exe.pif 1736 Actively.exe.pif -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1248 wrote to memory of 1220 1248 file.exe 26 PID 1248 wrote to memory of 1220 1248 file.exe 26 PID 1248 wrote to memory of 1220 1248 file.exe 26 PID 1248 wrote to memory of 1220 1248 file.exe 26 PID 1248 wrote to memory of 628 1248 file.exe 28 PID 1248 wrote to memory of 628 1248 file.exe 28 PID 1248 wrote to memory of 628 1248 file.exe 28 PID 1248 wrote to memory of 628 1248 file.exe 28 PID 628 wrote to memory of 1768 628 cmd.exe 30 PID 628 wrote to memory of 1768 628 cmd.exe 30 PID 628 wrote to memory of 1768 628 cmd.exe 30 PID 628 wrote to memory of 1768 628 cmd.exe 30 PID 1768 wrote to memory of 1000 1768 cmd.exe 31 PID 1768 wrote to memory of 1000 1768 cmd.exe 31 PID 1768 wrote to memory of 1000 1768 cmd.exe 31 PID 1768 wrote to memory of 1000 1768 cmd.exe 31 PID 1768 wrote to memory of 272 1768 cmd.exe 32 PID 1768 wrote to memory of 272 1768 cmd.exe 32 PID 1768 wrote to memory of 272 1768 cmd.exe 32 PID 1768 wrote to memory of 272 1768 cmd.exe 32 PID 1768 wrote to memory of 452 1768 cmd.exe 34 PID 1768 wrote to memory of 452 1768 cmd.exe 34 PID 1768 wrote to memory of 452 1768 cmd.exe 34 PID 1768 wrote to memory of 452 1768 cmd.exe 34 PID 1768 wrote to memory of 1544 1768 cmd.exe 35 PID 1768 wrote to memory of 1544 1768 cmd.exe 35 PID 1768 wrote to memory of 1544 1768 cmd.exe 35 PID 1768 wrote to memory of 1544 1768 cmd.exe 35 PID 1768 wrote to memory of 1348 1768 cmd.exe 36 PID 1768 wrote to memory of 1348 1768 cmd.exe 36 PID 1768 wrote to memory of 1348 1768 cmd.exe 36 PID 1768 wrote to memory of 1348 1768 cmd.exe 36 PID 1768 wrote to memory of 1736 1768 cmd.exe 37 PID 1768 wrote to memory of 1736 1768 cmd.exe 37 PID 1768 wrote to memory of 1736 1768 cmd.exe 37 PID 1768 wrote to memory of 1736 1768 cmd.exe 37 PID 1768 wrote to memory of 1780 1768 cmd.exe 38 PID 1768 wrote to memory of 1780 1768 cmd.exe 38 PID 1768 wrote to memory of 1780 1768 cmd.exe 38 PID 1768 wrote to memory of 1780 1768 cmd.exe 38 PID 628 wrote to memory of 1452 628 cmd.exe 39 PID 628 wrote to memory of 1452 628 cmd.exe 39 PID 628 wrote to memory of 1452 628 cmd.exe 39 PID 628 wrote to memory of 1452 628 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\bitsadmin.exebitsadmin bitsadmin bitsadmin bitsadmin bitsadmin bitsadmin bitsadmin2⤵PID:1220
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Hazard.mdb & ping -n 5 localhost2⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"4⤵PID:272
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:452
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"4⤵PID:1544
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^zTPUrZ$" Lamps.mdb4⤵PID:1348
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Actively.exe.pifActively.exe.pif o4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1736
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- Runs ping.exe
PID:1780
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
PID:1452
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
11KB
MD55d0469a1e816e965cd346d8ba30b28f5
SHA1a2f79b197da7abe6a917928a9557de7e5a6f1796
SHA256463a10b81a8f5c4af516d625532482fc104aa8beb8c89a688e21ba8e4d00d97f
SHA51208850e22a9ba9479f6f8e727421feff68d5dcebb80c58f77ba5ae607e8e2a2ae4050de40f81f9c58fbb67c40a4f9c6b4c665c2d42206823dc0ee84db9b666d32
-
Filesize
924KB
MD5545276413a197c589079736c0ef600de
SHA1123bf26466ca4e9a7455d062d879e59767f988ea
SHA256ef65bc00ca7ed7edb46131cebaa59b70ca2126d1ddfe45953e711553b4813b93
SHA5123190b0c6e81c98ad2d14fb5966c6fe63e7f1ed1b821ea0e1ee3d692d9dbe664ee45dbc4caf4695a3495ede137cbde976afd5a7e17749a664eda5504a4d9327b1
-
Filesize
816KB
MD54ffd563ff148d0e4a73e2eb5e1e9fd70
SHA119d14c6887810ee41fbdcd5c264439901f987d53
SHA2563a4ecc310ee4a9019145e92fce4efbe1f80031c645768255247e9a7c6046cf46
SHA5121ca14857567e6878a455d5d6f5429dcada7c9f2fc095ca9bcd9fc0cf17462fe1bd99cc1cb041f3bea7f5473945e51846b426c301638e3882d10357e1cbce003c
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4