Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 03:58
Static task
static1
Behavioral task
behavioral1
Sample
6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
Resource
win7-20220812-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe
-
Size
199KB
-
MD5
8cb62a156971ce47e5240a25932faa45
-
SHA1
29519ab6377f6dda653f5a06b57d0bef90e71163
-
SHA256
6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8
-
SHA512
deb05bd443cb5665d8b4588af86521d0835be6b3e79730e69a910ad1868e79b8eaafb0746d637a0dfade0b7fe996ad84171af00aa9c29bd3c5dd50ec5433a6d7
-
SSDEEP
3072:mk+Hn2oM3TUULfoAGrLGBgNGGoJKG7ERRbuemXhJGTr5cxXgj2:OnhM3BoHpoGoJKzRg1EcxQq
Score
10/10
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Content Type = "application/x-msdownload" puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\puy.exe\" -a \"%1\" %*" puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\ = "Application" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\DefaultIcon puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\DefaultIcon\ = "%1" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" puy.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1388 puy.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 1388 puy.exe -
Loads dropped DLL 2 IoCs
pid Process 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" puy.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier puy.exe -
Modifies registry class 41 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\runas\command puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\puy.exe\" -a \"%1\" %*" puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\ = "exefile" puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\DefaultIcon\ = "%1" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\ = "Application" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" puy.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\open puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\Content Type = "application/x-msdownload" puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\runas puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\start\command puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\DefaultIcon\ = "%1" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\DefaultIcon puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\puy.exe\" -a \"%1\" %*" puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\start puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.exe\shell\open\command puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\Content Type = "application/x-msdownload" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\DefaultIcon puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" puy.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\runas\command puy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" puy.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 1388 puy.exe 1388 puy.exe 1388 puy.exe 1388 puy.exe 1388 puy.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: 33 1552 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1552 AUDIODG.EXE Token: 33 1552 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1552 AUDIODG.EXE Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 1388 puy.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 1388 puy.exe 936 explorer.exe 936 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 1388 puy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1508 wrote to memory of 1388 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 27 PID 1508 wrote to memory of 1388 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 27 PID 1508 wrote to memory of 1388 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 27 PID 1508 wrote to memory of 1388 1508 6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe"C:\Users\Admin\AppData\Local\Temp\6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\puy.exe"C:\Users\Admin\AppData\Local\puy.exe" -gav C:\Users\Admin\AppData\Local\Temp\6b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8.exe2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1388
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:936
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x58c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199KB
MD58cb62a156971ce47e5240a25932faa45
SHA129519ab6377f6dda653f5a06b57d0bef90e71163
SHA2566b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8
SHA512deb05bd443cb5665d8b4588af86521d0835be6b3e79730e69a910ad1868e79b8eaafb0746d637a0dfade0b7fe996ad84171af00aa9c29bd3c5dd50ec5433a6d7
-
Filesize
199KB
MD58cb62a156971ce47e5240a25932faa45
SHA129519ab6377f6dda653f5a06b57d0bef90e71163
SHA2566b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8
SHA512deb05bd443cb5665d8b4588af86521d0835be6b3e79730e69a910ad1868e79b8eaafb0746d637a0dfade0b7fe996ad84171af00aa9c29bd3c5dd50ec5433a6d7
-
Filesize
199KB
MD58cb62a156971ce47e5240a25932faa45
SHA129519ab6377f6dda653f5a06b57d0bef90e71163
SHA2566b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8
SHA512deb05bd443cb5665d8b4588af86521d0835be6b3e79730e69a910ad1868e79b8eaafb0746d637a0dfade0b7fe996ad84171af00aa9c29bd3c5dd50ec5433a6d7
-
Filesize
199KB
MD58cb62a156971ce47e5240a25932faa45
SHA129519ab6377f6dda653f5a06b57d0bef90e71163
SHA2566b3da853d71971e0d25af90c0c4f9615e645db2f547a023e4e77dd1d551b78b8
SHA512deb05bd443cb5665d8b4588af86521d0835be6b3e79730e69a910ad1868e79b8eaafb0746d637a0dfade0b7fe996ad84171af00aa9c29bd3c5dd50ec5433a6d7