Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 08:05
Static task
static1
Behavioral task
behavioral1
Sample
b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe
Resource
win10v2004-20220812-en
General
-
Target
b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe
-
Size
23KB
-
MD5
7193b531605532242806a6a37fdc4b58
-
SHA1
fa64fbf72c4a9c5190edcdefc346dbc829fee7ef
-
SHA256
b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883
-
SHA512
4a311c7b1a3d1be240283262a65767e9be853a09c08302363ce2eb8c3c17f7c77b602ea2653ffcf9de9b30833704431bd5035cfe979ed9979bf36a8441c5c1ad
-
SSDEEP
384:CLJ0kGOFOGFtfFVk/wQPpwsjvt1RP+/R8HWhsRf3oyMsB5g:CNbfUYQPzjvt1ZWhsRASg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" svchost.exe -
Modifies firewall policy service 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\svchost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe:*:Enabled:svchost.exe" svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1600 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 1080 cmd.exe 1080 cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1356 wrote to memory of 1364 1356 b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe 28 PID 1356 wrote to memory of 1364 1356 b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe 28 PID 1356 wrote to memory of 1364 1356 b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe 28 PID 1356 wrote to memory of 1364 1356 b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe 28 PID 1356 wrote to memory of 1080 1356 b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe 30 PID 1356 wrote to memory of 1080 1356 b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe 30 PID 1356 wrote to memory of 1080 1356 b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe 30 PID 1356 wrote to memory of 1080 1356 b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe 30 PID 1080 wrote to memory of 1600 1080 cmd.exe 32 PID 1080 wrote to memory of 1600 1080 cmd.exe 32 PID 1080 wrote to memory of 1600 1080 cmd.exe 32 PID 1080 wrote to memory of 1600 1080 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe"C:\Users\Admin\AppData\Local\Temp\b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.execmd /c copy "C:\Users\Admin\AppData\Local\Temp\b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵PID:1364
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Executes dropped EXE
PID:1600
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD57193b531605532242806a6a37fdc4b58
SHA1fa64fbf72c4a9c5190edcdefc346dbc829fee7ef
SHA256b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883
SHA5124a311c7b1a3d1be240283262a65767e9be853a09c08302363ce2eb8c3c17f7c77b602ea2653ffcf9de9b30833704431bd5035cfe979ed9979bf36a8441c5c1ad
-
Filesize
23KB
MD57193b531605532242806a6a37fdc4b58
SHA1fa64fbf72c4a9c5190edcdefc346dbc829fee7ef
SHA256b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883
SHA5124a311c7b1a3d1be240283262a65767e9be853a09c08302363ce2eb8c3c17f7c77b602ea2653ffcf9de9b30833704431bd5035cfe979ed9979bf36a8441c5c1ad
-
Filesize
23KB
MD57193b531605532242806a6a37fdc4b58
SHA1fa64fbf72c4a9c5190edcdefc346dbc829fee7ef
SHA256b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883
SHA5124a311c7b1a3d1be240283262a65767e9be853a09c08302363ce2eb8c3c17f7c77b602ea2653ffcf9de9b30833704431bd5035cfe979ed9979bf36a8441c5c1ad
-
Filesize
23KB
MD57193b531605532242806a6a37fdc4b58
SHA1fa64fbf72c4a9c5190edcdefc346dbc829fee7ef
SHA256b4c06bb81f97cf90a2097a587ecdc950689fa89ef6f223134712d02f15f66883
SHA5124a311c7b1a3d1be240283262a65767e9be853a09c08302363ce2eb8c3c17f7c77b602ea2653ffcf9de9b30833704431bd5035cfe979ed9979bf36a8441c5c1ad