Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21/11/2022, 15:30
Static task
static1
Behavioral task
behavioral1
Sample
3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe
Resource
win10v2004-20221111-en
General
-
Target
3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe
-
Size
100KB
-
MD5
0a211a2cb79a221b59cd53fa159350d2
-
SHA1
9b34a62a248514dc64c1d91a0edb52fe29028a86
-
SHA256
3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8
-
SHA512
805c6c788a6cdac984278494c53e73c586f01902c9e1b5e5a5b89208ba9f710d378a97b861ba0ef19cebe3719cb93207792a9f495d23c91a15898339075859b0
-
SSDEEP
1536:25zsDNdr46AqK/b7xMdIi8stfIEtJxPKWgd8kNycHWf:+67K/b1Qf86xPk8kscHWf
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup = "C:\\Windows\\tcptsys.exe" 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe -
Executes dropped EXE 2 IoCs
pid Process 1400 tcptsys.exe 1156 tcptsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup = "C:\\Windows\\tcptsys.exe" 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 756 set thread context of 1976 756 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 28 PID 1400 set thread context of 1156 1400 tcptsys.exe 30 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\tcptsys.exe 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe File opened for modification C:\Windows\tcptsys.exe 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe File created C:\Windows\logfile32.txt tcptsys.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1976 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 1976 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 1976 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 1156 tcptsys.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1976 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe Token: SeDebugPrivilege 1156 tcptsys.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 756 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 1400 tcptsys.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 756 wrote to memory of 1976 756 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 28 PID 756 wrote to memory of 1976 756 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 28 PID 756 wrote to memory of 1976 756 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 28 PID 756 wrote to memory of 1976 756 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 28 PID 756 wrote to memory of 1976 756 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 28 PID 756 wrote to memory of 1976 756 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 28 PID 756 wrote to memory of 1976 756 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 28 PID 756 wrote to memory of 1976 756 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 28 PID 756 wrote to memory of 1976 756 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 28 PID 1976 wrote to memory of 1400 1976 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 29 PID 1976 wrote to memory of 1400 1976 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 29 PID 1976 wrote to memory of 1400 1976 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 29 PID 1976 wrote to memory of 1400 1976 3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe 29 PID 1400 wrote to memory of 1156 1400 tcptsys.exe 30 PID 1400 wrote to memory of 1156 1400 tcptsys.exe 30 PID 1400 wrote to memory of 1156 1400 tcptsys.exe 30 PID 1400 wrote to memory of 1156 1400 tcptsys.exe 30 PID 1400 wrote to memory of 1156 1400 tcptsys.exe 30 PID 1400 wrote to memory of 1156 1400 tcptsys.exe 30 PID 1400 wrote to memory of 1156 1400 tcptsys.exe 30 PID 1400 wrote to memory of 1156 1400 tcptsys.exe 30 PID 1400 wrote to memory of 1156 1400 tcptsys.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe"C:\Users\Admin\AppData\Local\Temp\3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe"C:\Users\Admin\AppData\Local\Temp\3361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\tcptsys.exe"C:\Windows\tcptsys.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\tcptsys.exe"C:\Windows\tcptsys.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD50a211a2cb79a221b59cd53fa159350d2
SHA19b34a62a248514dc64c1d91a0edb52fe29028a86
SHA2563361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8
SHA512805c6c788a6cdac984278494c53e73c586f01902c9e1b5e5a5b89208ba9f710d378a97b861ba0ef19cebe3719cb93207792a9f495d23c91a15898339075859b0
-
Filesize
100KB
MD50a211a2cb79a221b59cd53fa159350d2
SHA19b34a62a248514dc64c1d91a0edb52fe29028a86
SHA2563361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8
SHA512805c6c788a6cdac984278494c53e73c586f01902c9e1b5e5a5b89208ba9f710d378a97b861ba0ef19cebe3719cb93207792a9f495d23c91a15898339075859b0
-
Filesize
100KB
MD50a211a2cb79a221b59cd53fa159350d2
SHA19b34a62a248514dc64c1d91a0edb52fe29028a86
SHA2563361935bbe0f9d1d4fd2cd52d0dcf65e1800fab297abac7341e450b6d407e8d8
SHA512805c6c788a6cdac984278494c53e73c586f01902c9e1b5e5a5b89208ba9f710d378a97b861ba0ef19cebe3719cb93207792a9f495d23c91a15898339075859b0