Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
7s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 14:10
Behavioral task
behavioral1
Sample
a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe
Resource
win10v2004-20220812-en
General
-
Target
a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe
-
Size
20KB
-
MD5
25e6e867b08bc91d8ca831f6c23f3652
-
SHA1
8ce8a45b06ab5d13ff7ad77fed6c9f2b7e06b1ef
-
SHA256
a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f
-
SHA512
45f7d23ac43541b543fe909378b2e8d4099c4e4fe97c7edb1ec24099ba3f79c5174f08007446979f1ef70d664368e0e31427e6b76e724c243fb78182280ec606
-
SSDEEP
96:xo7+1EsyLMa7ZiJzmnsIgeuLrGsqUTPf9nNhHDsxTmmLMugN:M0EnMaMNRrGsqUxNhHDYTmsMugN
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1776-58-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1776-62-0x0000000000400000-0x0000000000407000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" Rundll32.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log Rundll32.exe File created C:\Windows\taskmanager.bat a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe File opened for modification C:\Windows\taskmanager.bat a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 1732 Rundll32.exe Token: SeRestorePrivilege 1732 Rundll32.exe Token: SeRestorePrivilege 1732 Rundll32.exe Token: SeRestorePrivilege 1732 Rundll32.exe Token: SeRestorePrivilege 1732 Rundll32.exe Token: SeRestorePrivilege 1732 Rundll32.exe Token: SeRestorePrivilege 1732 Rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1776 a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1776 wrote to memory of 1732 1776 a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe 28 PID 1776 wrote to memory of 1732 1776 a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe 28 PID 1776 wrote to memory of 1732 1776 a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe 28 PID 1776 wrote to memory of 1732 1776 a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe 28 PID 1776 wrote to memory of 1732 1776 a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe 28 PID 1776 wrote to memory of 1732 1776 a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe 28 PID 1776 wrote to memory of 1732 1776 a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe 28 PID 1732 wrote to memory of 1536 1732 Rundll32.exe 29 PID 1732 wrote to memory of 1536 1732 Rundll32.exe 29 PID 1732 wrote to memory of 1536 1732 Rundll32.exe 29 PID 1732 wrote to memory of 1536 1732 Rundll32.exe 29 PID 1536 wrote to memory of 1468 1536 runonce.exe 30 PID 1536 wrote to memory of 1468 1536 runonce.exe 30 PID 1536 wrote to memory of 1468 1536 runonce.exe 30 PID 1536 wrote to memory of 1468 1536 runonce.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe"C:\Users\Admin\AppData\Local\Temp\a7db650b97664b896614b1e5d7dadaea3b8788f813a1662da7376519d093751f.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\gskh83jejh4.inf2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵PID:1468
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
361B
MD5618642199b4ebd8d873330dad867dde6
SHA12c5c409ef3f7f39850779d998338a2b29cb919f3
SHA2567bfed1c63032c382904af6a219b4660fbb562b3d3a36797c824aedc034f8a108
SHA512eda5a9ef387caf84949b490e7a2d2fd602e412141e2d81d2fe13fd4b4925dea662c65a3d6bc548de2f42d117986a6ee174ecca1c57555fb32dfb5bb9bce1e53a