Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
196s -
max time network
213s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 02:13
Static task
static1
Behavioral task
behavioral1
Sample
cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe
Resource
win10v2004-20220812-en
General
-
Target
cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe
-
Size
75KB
-
MD5
1585d0fe2a7ec9f710a016dee24b1e4f
-
SHA1
6730f34bdf92b11346b1e34e36a7981d8cf55f7e
-
SHA256
cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96
-
SHA512
6c7d085a11bc0e91945896815f403546bafc09af4a0300b7822342a784a6cf81a8c4fad20dd88594625d1b9830081c33745532310c653bd13e5c78cfcd95a4d7
-
SSDEEP
1536:+TEmpbswZUH3smQaNWT7lw2YrWCwtMfRBhijv9zwIeAAD3:+TEmuLc2QlwYCwRpu
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" msiexec.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1249150388 = "C:\\PROGRA~3\\msurf.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe -
Blocklisted process makes network request 9 IoCs
flow pid Process 3 1920 msiexec.exe 4 1920 msiexec.exe 5 1920 msiexec.exe 8 1920 msiexec.exe 10 1920 msiexec.exe 12 1920 msiexec.exe 16 1920 msiexec.exe 18 1920 msiexec.exe 19 1920 msiexec.exe -
Disables taskbar notifications via registry modification
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2036 set thread context of 1184 2036 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 27 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\PROGRA~3\msurf.exe msiexec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 1920 msiexec.exe 1920 msiexec.exe -
Suspicious behavior: MapViewOfSection 25 IoCs
pid Process 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe 1920 msiexec.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1920 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe Token: SeBackupPrivilege 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe Token: SeRestorePrivilege 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe Token: SeDebugPrivilege 1920 msiexec.exe Token: SeBackupPrivilege 1920 msiexec.exe Token: SeRestorePrivilege 1920 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2036 wrote to memory of 1184 2036 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 27 PID 2036 wrote to memory of 1184 2036 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 27 PID 2036 wrote to memory of 1184 2036 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 27 PID 2036 wrote to memory of 1184 2036 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 27 PID 2036 wrote to memory of 1184 2036 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 27 PID 2036 wrote to memory of 1184 2036 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 27 PID 2036 wrote to memory of 1184 2036 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 27 PID 2036 wrote to memory of 1184 2036 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 27 PID 2036 wrote to memory of 1184 2036 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 27 PID 1184 wrote to memory of 1920 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 28 PID 1184 wrote to memory of 1920 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 28 PID 1184 wrote to memory of 1920 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 28 PID 1184 wrote to memory of 1920 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 28 PID 1184 wrote to memory of 1920 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 28 PID 1184 wrote to memory of 1920 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 28 PID 1184 wrote to memory of 1920 1184 cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe"C:\Users\Admin\AppData\Local\Temp\cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe"C:\Users\Admin\AppData\Local\Temp\cabf6680d0c0c4f2af98f421db2e11795536208ac1cebcc001671cb04f580e96.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Adds policy Run key to start application
- Blocklisted process makes network request
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-