Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe
Resource
win10v2004-20220901-en
General
-
Target
0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe
-
Size
542KB
-
MD5
7aba5437319eaa21b342330cfb5a7df1
-
SHA1
e29f42a993a1c70b132ff2844d606166bb23322a
-
SHA256
0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51
-
SHA512
327a09189970ab18ab6c0a3bfa91a32eff12b0f45640d2fce5436afe21f7d4105d6c0ab9f4d214df3ac71a8c7fa11952117e4812ebb6d043f8978917634b3a82
-
SSDEEP
6144:1lTfkyn+LWAsEekNs2P6/a0R2GnT7CXjmXLaRVTiKtUSzJoIX0sQ4lSys45yxxsU:1lTfkkiWH6so6OGT7aqX40S9/Zfs45j
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\RTxL6O1BoG3vlKf5\\hoROxuCXE4yM.exe\",explorer.exe" 0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2016 0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2016 0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2016 0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe 2016 0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe 2016 0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe"C:\Users\Admin\AppData\Local\Temp\0bcb7bb58e454831ef2b3efcb7feed3038d95759e5774667c1cda7491560da51.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016