Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 07:15
Static task
static1
Behavioral task
behavioral1
Sample
b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
Resource
win10v2004-20220901-en
General
-
Target
b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe
-
Size
197KB
-
MD5
d3fa003c76cb8d135dc71803f2a89c1b
-
SHA1
5a7f16f01574c4971a2d883e6abc6133f75e2778
-
SHA256
b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff
-
SHA512
947e6816759172a16ec351504a41363953f13bc394fddd2c9b8813b2b181e6fe7454e50179753a8942b98853e110b639e9eca4e69a85efec7eae1f26d3b5a531
-
SSDEEP
3072:n3K/eEZNrWKFXgrVFHMdEU4+B4I3hfr4FJ8ehq59MaKeGU/IP95CYwFnjEj:3CTsFHOErrC14FJ8ehqDKeGUCz
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\n." b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe -
Deletes itself 1 IoCs
pid Process 1832 cmd.exe -
Unexpected DNS network traffic destination 8 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 Destination IP 83.133.123.20 -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini services.exe File created \systemroot\assembly\GAC_32\Desktop.ini services.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1464 set thread context of 1832 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 26 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Installer\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@ b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe File created C:\Windows\Installer\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\n b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\clsid b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\n." b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 464 services.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1360 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe Token: SeDebugPrivilege 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe Token: SeDebugPrivilege 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe Token: SeDebugPrivilege 464 services.exe Token: SeBackupPrivilege 464 services.exe Token: SeRestorePrivilege 464 services.exe Token: SeSecurityPrivilege 464 services.exe Token: SeTakeOwnershipPrivilege 464 services.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1360 Explorer.EXE 1360 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1360 Explorer.EXE 1360 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1464 wrote to memory of 1360 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 12 PID 1464 wrote to memory of 1360 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 12 PID 1464 wrote to memory of 464 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 2 PID 1464 wrote to memory of 1832 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 26 PID 1464 wrote to memory of 1832 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 26 PID 1464 wrote to memory of 1832 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 26 PID 1464 wrote to memory of 1832 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 26 PID 1464 wrote to memory of 1832 1464 b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe 26
Processes
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe"C:\Users\Admin\AppData\Local\Temp\b13b5fb5149159804ce40bf710af806b673b51f426a7d528113074bb9b1e97ff.exe"2⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
PID:1832
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50bb4e877054db30eb89d1431e51c6bb9
SHA1c33bda8619365601ac0885458665533e38bcec9a
SHA256b11e38bb0f65e335a5a897480bd1a7f3fef8f6c9b260dcd459dad34c54e48e65
SHA512fa0ee8e1dfcefc31e8465acff62eecf4b99f9e19c75339898d35b94146fc46712765a6e499315a9b7899dcf1b1018ca65d85bee9855a56d08a04cd62834a1ab6