Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 15:38
Static task
static1
Behavioral task
behavioral1
Sample
ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe
Resource
win10v2004-20221111-en
General
-
Target
ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe
-
Size
583KB
-
MD5
7ec9800e97ecb6f8b8590cf7c06da578
-
SHA1
b5a5fb4aa3588cb4ed3b0be5f9985a3810d32114
-
SHA256
ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b
-
SHA512
95ec1c77dbf961ceb8183b0ceeb0be67ef01444f9e525ab26a0f3d8e1623efb195e71e9cd911aca84cf4fa28469a32356a399ba75d75c3268211c955cd9367c1
-
SSDEEP
12288:x2dcc3zvSUGljdYqvUkKr06SaGLB88B0oOR4xcOx:IN6UivvUkKA6SfLBPB0oOix
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bbspj = "C:\\Windows\\SysWOW64\\lv-LV6.exe" ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe -
Executes dropped EXE 1 IoCs
pid Process 1236 lv-LV6.exe -
resource yara_rule behavioral1/memory/1628-55-0x0000000000310000-0x00000000003BE000-memory.dmp upx behavioral1/memory/1628-58-0x0000000000310000-0x00000000003BE000-memory.dmp upx behavioral1/memory/1628-59-0x0000000000310000-0x00000000003BE000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe -
Deletes itself 1 IoCs
pid Process 1984 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\lv-LV6.exe ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe File opened for modification C:\Windows\SysWOW64\lv-LV6.exe ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe 1236 lv-LV6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe Token: SeDebugPrivilege 1236 lv-LV6.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1236 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe 28 PID 1628 wrote to memory of 1236 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe 28 PID 1628 wrote to memory of 1236 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe 28 PID 1628 wrote to memory of 1236 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe 28 PID 1628 wrote to memory of 1984 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe 30 PID 1628 wrote to memory of 1984 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe 30 PID 1628 wrote to memory of 1984 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe 30 PID 1628 wrote to memory of 1984 1628 ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe"C:\Users\Admin\AppData\Local\Temp\ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe"1⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\lv-LV6.exeC:\Windows\SysWOW64\lv-LV6.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\SysWOW64\cmd.exe/c C:\Users\Admin\AppData\Local\Temp\~unins1302.bat "C:\Users\Admin\AppData\Local\Temp\ab3aa6f41e5056db625a0bbe3df17cb045e676a40a4cec53847a97ce903c423b.exe"2⤵
- Deletes itself
PID:1984
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49B
MD59e0a2f5ab30517809b95a1ff1dd98c53
SHA15c1eefdf10e67d1e9216e2e3f5e92352d583c9ce
SHA25697ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32
SHA512e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42
-
Filesize
158KB
MD505b2e342f1d92b93c2e3bc60c5e801b0
SHA1c8c83ceebcfd17d397d842ef6206c0c72b237d4e
SHA2562bac89d8ffe57ccbfb6a9be9c061791bdf8fa00cb58c0154c26ccd34bbfd659e
SHA512206ce74d2087c7b612dda060e0b1c4a3084e86b0cc5bcce21f3552e07ab2a0860bfd3f1be5ffc63aad26c89c7faf8960dd7216b768d412eb7fce565492ac6594
-
Filesize
158KB
MD505b2e342f1d92b93c2e3bc60c5e801b0
SHA1c8c83ceebcfd17d397d842ef6206c0c72b237d4e
SHA2562bac89d8ffe57ccbfb6a9be9c061791bdf8fa00cb58c0154c26ccd34bbfd659e
SHA512206ce74d2087c7b612dda060e0b1c4a3084e86b0cc5bcce21f3552e07ab2a0860bfd3f1be5ffc63aad26c89c7faf8960dd7216b768d412eb7fce565492ac6594
-
Filesize
158KB
MD505b2e342f1d92b93c2e3bc60c5e801b0
SHA1c8c83ceebcfd17d397d842ef6206c0c72b237d4e
SHA2562bac89d8ffe57ccbfb6a9be9c061791bdf8fa00cb58c0154c26ccd34bbfd659e
SHA512206ce74d2087c7b612dda060e0b1c4a3084e86b0cc5bcce21f3552e07ab2a0860bfd3f1be5ffc63aad26c89c7faf8960dd7216b768d412eb7fce565492ac6594