Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
80s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 04:47
Static task
static1
Behavioral task
behavioral1
Sample
5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe
Resource
win10v2004-20220812-en
General
-
Target
5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe
-
Size
83KB
-
MD5
ef74b3a1fcbce6dd3d2d51e20a2a04f7
-
SHA1
c8b0b66233997ff542e70401e99bebc3e714bec8
-
SHA256
5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47
-
SHA512
b86974b584214ba206b52c5e464808f3673c816f854d72e131559636a935e052b7bd467f89cc70f7e5bce3506592b88cfcd37e98783d322758c39779b8b1eb9e
-
SSDEEP
1536:JCRHfzxrdFSzcNEnnsNXJEh4aGWDZlKujyK0+pHvIr8MS1XuKERU7nBBek:u1LflWDZltyK0+gr8MyXuKE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe" 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe" 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe -
resource yara_rule behavioral1/memory/1920-55-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/1920-57-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/1920-58-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/1920-62-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/1920-61-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/1920-64-0x0000000000400000-0x0000000000419000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe" 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1760 set thread context of 1920 1760 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 28 -
Kills process with taskkill 1 IoCs
pid Process 1512 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1920 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1512 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1920 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1920 1760 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 28 PID 1760 wrote to memory of 1920 1760 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 28 PID 1760 wrote to memory of 1920 1760 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 28 PID 1760 wrote to memory of 1920 1760 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 28 PID 1760 wrote to memory of 1920 1760 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 28 PID 1760 wrote to memory of 1920 1760 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 28 PID 1760 wrote to memory of 1920 1760 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 28 PID 1760 wrote to memory of 1920 1760 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 28 PID 1920 wrote to memory of 1512 1920 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 29 PID 1920 wrote to memory of 1512 1920 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 29 PID 1920 wrote to memory of 1512 1920 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 29 PID 1920 wrote to memory of 1512 1920 5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe"C:\Users\Admin\AppData\Local\Temp\5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe"C:\Users\Admin\AppData\Local\Temp\5b87bbab1220df81134e490800b0f044cc37e5727c3de33b5f035ce61abb0c47.exe"2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-