Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 12:35
Static task
static1
Behavioral task
behavioral1
Sample
90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe
Resource
win10v2004-20221111-en
General
-
Target
90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe
-
Size
297KB
-
MD5
1d6ec70d334f7b73094f27ca88946576
-
SHA1
11c5ebe3a32438bb17f99136972ed6b43194f0df
-
SHA256
90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128
-
SHA512
a74bcd81d6e31d4112d214da8417f69c1446a511fc15c65dd99dbf0cdc2397e3ceb5dfadcb13a0bc1b5c46b7d1b401e9d55b9cac3627cbbe86c569b391d08dd1
-
SSDEEP
6144:2XOUqsRiXdcZCiJhaR3gMV/qybZsKvJ1mSnHJEx5UW1:dtsdg2MwMlNvmSnHk1
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1080 xfs.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 1080 xfs.exe -
Loads dropped DLL 2 IoCs
pid Process 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 844 explorer.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 844 explorer.exe Token: SeShutdownPrivilege 844 explorer.exe Token: SeShutdownPrivilege 844 explorer.exe Token: SeShutdownPrivilege 844 explorer.exe Token: SeShutdownPrivilege 844 explorer.exe Token: SeShutdownPrivilege 844 explorer.exe Token: SeShutdownPrivilege 844 explorer.exe Token: SeShutdownPrivilege 844 explorer.exe Token: SeShutdownPrivilege 844 explorer.exe Token: SeShutdownPrivilege 844 explorer.exe Token: 33 2016 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2016 AUDIODG.EXE Token: 33 2016 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2016 AUDIODG.EXE Token: SeShutdownPrivilege 844 explorer.exe Token: SeShutdownPrivilege 844 explorer.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe 844 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 112 wrote to memory of 1080 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 27 PID 112 wrote to memory of 1080 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 27 PID 112 wrote to memory of 1080 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 27 PID 112 wrote to memory of 1080 112 90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe"C:\Users\Admin\AppData\Local\Temp\90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Local\xfs.exe"C:\Users\Admin\AppData\Local\xfs.exe" -gav C:\Users\Admin\AppData\Local\Temp\90a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128.exe2⤵
- Executes dropped EXE
- Deletes itself
PID:1080
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:844
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5941⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
297KB
MD51d6ec70d334f7b73094f27ca88946576
SHA111c5ebe3a32438bb17f99136972ed6b43194f0df
SHA25690a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128
SHA512a74bcd81d6e31d4112d214da8417f69c1446a511fc15c65dd99dbf0cdc2397e3ceb5dfadcb13a0bc1b5c46b7d1b401e9d55b9cac3627cbbe86c569b391d08dd1
-
Filesize
297KB
MD51d6ec70d334f7b73094f27ca88946576
SHA111c5ebe3a32438bb17f99136972ed6b43194f0df
SHA25690a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128
SHA512a74bcd81d6e31d4112d214da8417f69c1446a511fc15c65dd99dbf0cdc2397e3ceb5dfadcb13a0bc1b5c46b7d1b401e9d55b9cac3627cbbe86c569b391d08dd1
-
Filesize
297KB
MD51d6ec70d334f7b73094f27ca88946576
SHA111c5ebe3a32438bb17f99136972ed6b43194f0df
SHA25690a0e9e9a000826a4505ac488c21c172f57a7775fd297d448f7860fca22b1128
SHA512a74bcd81d6e31d4112d214da8417f69c1446a511fc15c65dd99dbf0cdc2397e3ceb5dfadcb13a0bc1b5c46b7d1b401e9d55b9cac3627cbbe86c569b391d08dd1