Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 06:08
Behavioral task
behavioral1
Sample
a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe
Resource
win10v2004-20220812-en
General
-
Target
a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe
-
Size
1.4MB
-
MD5
e32c4fbd28f2b996a5a7bbde62f48ce9
-
SHA1
a027c853489fb726f8f2f7286d20f3f1f3f67e94
-
SHA256
a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2
-
SHA512
ae5ccd8f07857143fd88d98fec86458c2874992a70ed3482d56c81ac101bb370a21fb2b8d5c4256c87b222ac26fd8e00a1c3534452fd3dcce590e81817e0293c
-
SSDEEP
24576:nk3lFVBIRSEuzT5aDtcANt9aZ+/JiCXNRDE6mbSy1IndkZVrR8iTH5jaGjSuQ+VJ:k1XBIRSfHANtN7yKndkNf5jaGjw+VK6P
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\drivers\drive.sys a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe File opened for modification C:\WINDOWS\SysWOW64\drivers\drive.sys a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe File created C:\WINDOWS\SysWOW64\drivers\drive.sys.off a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Cuzinho\ImagePath = "system32\\drivers\\drive.sys" a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe -
resource yara_rule behavioral1/memory/1788-54-0x0000000011310000-0x0000000012139000-memory.dmp upx behavioral1/memory/1788-58-0x0000000011310000-0x0000000012139000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\System32\\avg.exe" a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\avg.exe a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe File opened for modification C:\Windows\SysWOW64\avg.exe a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 952 reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1788 a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found 460 Process not Found -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1788 a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe 1788 a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1788 wrote to memory of 908 1788 a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe 27 PID 1788 wrote to memory of 908 1788 a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe 27 PID 1788 wrote to memory of 908 1788 a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe 27 PID 1788 wrote to memory of 908 1788 a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe 27 PID 908 wrote to memory of 952 908 cmd.exe 29 PID 908 wrote to memory of 952 908 cmd.exe 29 PID 908 wrote to memory of 952 908 cmd.exe 29 PID 908 wrote to memory of 952 908 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe"C:\Users\Admin\AppData\Local\Temp\a0c2ca51c7d65d7615fe8b7318baf7d50bdb4fc161ee05845f8686cd41c752f2.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:952
-
-