Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 19:55
Static task
static1
Behavioral task
behavioral1
Sample
7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe
Resource
win10v2004-20220812-en
General
-
Target
7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe
-
Size
916KB
-
MD5
7e01aac13f28affd9c5d1b72d50fbfed
-
SHA1
2a6d8e4a3c28cec8043c7e4fba89bf01043eb065
-
SHA256
7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3
-
SHA512
b5e7307962ba7ff410541e015a7fe0ca30d5b0ee3baa865a926db2c6b238e6d12891de1ac3eddd503f2e298d57edbb436bc8bb41494d145480133e8f30f848a4
-
SSDEEP
12288:GnDs62f6fw3H5jRtuPhgsK/aex1fVnXHp1lCi6qVNb55aJ6ahco6WZN1vTwG8VsR:GnD2f/yUa8fVn3DlCt6o1R5Y
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Roaming\\Default Folder\\Default File.exe" 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe File opened for modification C:\Windows\assembly\Desktop.ini 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1680 set thread context of 4108 1680 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe 80 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe File opened for modification C:\Windows\assembly\Desktop.ini 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe File opened for modification C:\Windows\assembly 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4108 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4108 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4108 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1680 wrote to memory of 4108 1680 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe 80 PID 1680 wrote to memory of 4108 1680 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe 80 PID 1680 wrote to memory of 4108 1680 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe 80 PID 1680 wrote to memory of 4108 1680 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe 80 PID 1680 wrote to memory of 4108 1680 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe 80 PID 1680 wrote to memory of 4108 1680 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe 80 PID 1680 wrote to memory of 4108 1680 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe 80 PID 1680 wrote to memory of 4108 1680 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe"C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe"C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe"2⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4108
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe.log
Filesize319B
MD5a4da81a3544d9cd85f257967c0a431fe
SHA1ba6f59ae5c6a2674a1fda758b5ded92f76d5edb3
SHA256ad372efe5e610b9c2a331ac8f17f83542ef78b92c875c206d76c84e158fb271e
SHA51212348d4cb4b6534a43f122d18fc7276c524c5b7e8f242f446eefb4d2ffea8018aed53a854cb840b2f30669caf74d14daff4276c6676a15221c58c84b210d393f