Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25/11/2022, 12:14
Static task
static1
Behavioral task
behavioral1
Sample
c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe
Resource
win7-20220812-en
windows7-x64
9 signatures
150 seconds
General
-
Target
c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe
-
Size
156KB
-
MD5
8cbb847d4b417c7890e971fa1816e47e
-
SHA1
431e993c91ef518391120a3d6c7d4cdaa8892d92
-
SHA256
c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7
-
SHA512
639512f9a8f05f6fca820eaf2a66934b5cb738dc01bd62fcf9c5e3f06c1c9dd7c725031d24a024f2fa11e28050ba49d2db91ed95d6649bfc76a12ea2c0d14c7f
-
SSDEEP
3072:D/JNqhkWYneP6Gz8pB00e+te46Jkw76aDEmmBsBX4XSYJPkB3K3Wn3GAtUY:DRNqan00e+W2N/i4JPkBK3Wn3GAtV
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D3725D01-6CFB-11ED-9351-5A21EB137514} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376171412" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 828 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 828 iexplore.exe 828 iexplore.exe 1860 IEXPLORE.EXE 1860 IEXPLORE.EXE 1860 IEXPLORE.EXE 1860 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1848 wrote to memory of 600 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 30 PID 1848 wrote to memory of 600 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 30 PID 1848 wrote to memory of 600 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 30 PID 1848 wrote to memory of 600 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 30 PID 1848 wrote to memory of 600 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 30 PID 1848 wrote to memory of 600 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 30 PID 1848 wrote to memory of 600 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 30 PID 1848 wrote to memory of 1396 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 31 PID 1848 wrote to memory of 1396 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 31 PID 1848 wrote to memory of 1396 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 31 PID 1848 wrote to memory of 1396 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 31 PID 1848 wrote to memory of 1396 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 31 PID 1848 wrote to memory of 1396 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 31 PID 1848 wrote to memory of 1396 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 31 PID 1848 wrote to memory of 828 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 32 PID 1848 wrote to memory of 828 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 32 PID 1848 wrote to memory of 828 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 32 PID 1848 wrote to memory of 828 1848 c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe 32 PID 828 wrote to memory of 1860 828 iexplore.exe 33 PID 828 wrote to memory of 1860 828 iexplore.exe 33 PID 828 wrote to memory of 1860 828 iexplore.exe 33 PID 828 wrote to memory of 1860 828 iexplore.exe 33 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ = "1" c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe"C:\Users\Admin\AppData\Local\Temp\c5f9e877204425477ffa47734827cd95b7bf081df1eba4c81e114c3007c107d7.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Installs/modifies Browser Helper Object
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1848 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\regsvr32.exe /s c:\Users\Admin\sprsmsto\sprsmsto.dll2⤵PID:600
-
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s c:\Users\Admin\sprsmsto\sprsmsto.dll2⤵PID:1396
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1860
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
608B
MD5a32c9b6804af4bb8cc2b33ba3d69c223
SHA14248138a2152adac693b5ff960c566de65eb7900
SHA256e4d524f597b49abe71f90cc8052b9bf42efd55166b191fd16bc02f351bc39520
SHA5123cc433629cd48a5c1dcb15374711255109f6abe3c6b0ecccd56306d03fa2c18307a7fadd0513756346ca19c1d96fabea3aa559489a97f09f9f301ef89970f7f3