Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
19s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 17:20
Static task
static1
Behavioral task
behavioral1
Sample
e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe
Resource
win7-20221111-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe
-
Size
700KB
-
MD5
02b982e5f27dcdd312dcb9e7965350a6
-
SHA1
a818cc4378997be7d6995c72a143bddb468ae608
-
SHA256
e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d
-
SHA512
be65f5bee95646bafb9c75bef6157ecae3f85f8ed1d405746c6a6db13d88e84e7a7ca51303467c94fe23fed5e8aef5cd7be0b459a814d104f70348125313e088
-
SSDEEP
12288:KRObekMtkfohrPUs37uzHnA6zg5cIsalHERjUrNN/RQ9wgUT5EDExycq:8ObekYkfohrP337uzHnA6cHswHE/6gU6
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 47 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\perfmon.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\wextract.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\msra.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\notepad.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\autofmt.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\Dism.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\Magnify.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\PresentationHost.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\regedt32.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\setup16.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\where.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\control.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\cttune.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\cttunesvr.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\dplaysvr.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesRemote.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\xcopy.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\ARP.EXE e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\efsui.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\ocsetup.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\runonce.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\wermgr.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\dfrgui.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\RMActivate_ssp.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\xpsrchvw.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\auditpol.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\dllhst3g.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\doskey.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\fixmapi.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\mountvol.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\regedit.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\cmdl32.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\dnscacheugc.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\icsunattend.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\MigAutoPlay.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\mspaint.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\ndadmin.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\netiougc.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\ntkrnlpa.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\AdapterTroubleshooter.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\RmClient.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\SysWOW64\rekeywiz.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Media Player\WMPSideShowGadget.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\bfsvc.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\hh.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe File opened for modification C:\Windows\twunk_32.exe e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe"C:\Users\Admin\AppData\Local\Temp\e03b3d7ee46fd7c7ec82ced861cfc4f0003c3a80e870be580c8b2ba88c82356d.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1132