Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 13:42
Static task
static1
Behavioral task
behavioral1
Sample
c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe
Resource
win10v2004-20220812-en
General
-
Target
c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe
-
Size
180KB
-
MD5
558cf03642d1f59d58b2aea6fd4d0848
-
SHA1
270ce62f859508b6339f24ac26111a7bd3c851e6
-
SHA256
c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40
-
SHA512
7f446b9005a4f21d3f3660d99da9499c32d2ea750688752b31c792bf30f97f3a04bdd462e634a2f612324ae8cd4cd9cff55d2242cee3253aade67a99b67f2f2e
-
SSDEEP
3072:ufimO4AYcpO4D2rdUz41Vnkz/XFm7cMW5Mz5OiqdwsnWJ/sLb5mFggyqWBOB80lv:ufiL4AYcp/EQzfXMeBdwsW1s3Mgfq+O6
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\\n." c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe -
Deletes itself 1 IoCs
pid Process 756 cmd.exe -
Unexpected DNS network traffic destination 16 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 91.193.74.13 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 66.85.130.234 Destination IP 91.193.74.13 Destination IP 66.85.130.234 Destination IP 91.193.74.13 Destination IP 66.85.130.234 Destination IP 91.193.74.13 Destination IP 91.193.74.13 Destination IP 66.85.130.234 Destination IP 91.193.74.13 Destination IP 91.193.74.13 Destination IP 66.85.130.234 Destination IP 91.193.74.13 Destination IP 66.85.130.234 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1620 set thread context of 756 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 27 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\@ c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe File created C:\Windows\Installer\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\n c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{bb8ab67a-d838-2496-fd4e-ead6952e3208}\\n." c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\clsid c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe Token: SeDebugPrivilege 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe Token: SeDebugPrivilege 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe Token: SeBackupPrivilege 464 services.exe Token: SeRestorePrivilege 464 services.exe Token: SeSecurityPrivilege 464 services.exe Token: SeTakeOwnershipPrivilege 464 services.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1388 Explorer.EXE 1388 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1388 Explorer.EXE 1388 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1620 wrote to memory of 1388 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 13 PID 1620 wrote to memory of 1388 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 13 PID 1620 wrote to memory of 464 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 2 PID 1620 wrote to memory of 756 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 27 PID 1620 wrote to memory of 756 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 27 PID 1620 wrote to memory of 756 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 27 PID 1620 wrote to memory of 756 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 27 PID 1620 wrote to memory of 756 1620 c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe 27
Processes
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:464
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe"C:\Users\Admin\AppData\Local\Temp\c3a0da9d5e55ec45df45593074d83aefb3935aaa5ea3b1a75adc6aedb85b9b40.exe"2⤵
- Registers COM server for autorun
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
PID:756
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53899df69c1e78e9a5b26645561aebafa
SHA1912b4724e81ab73a1987ce4f89a4de34a3b9374f
SHA2564ad5975145ab7c4e4c68d004ba319bff74c7482357944378f1bd842d157c4c75
SHA512fd944cae45caa5db4354c68fc176e93523599ec64914b97fab50a5677036dae56a6c1374b870dfb58a8beb2b7bf93d0644dafeea523d9dd55c6831e95f9d1405