Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 16:10
Static task
static1
Behavioral task
behavioral1
Sample
bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe
Resource
win10v2004-20220812-en
General
-
Target
bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe
-
Size
1.3MB
-
MD5
718d025d6d5acfd8d79ce1aab8867ca1
-
SHA1
f643592f09ba18a069251c15ee9cd58d0b06c8a9
-
SHA256
bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403
-
SHA512
7e2af3de5e8bb2c18a3d4f0029a0c77a124e4bb73d3ec3a1232627955102af9ac86adf2f0ede92b2c66c5bccf10189f0e85f13df153ba2c629599e4c2fb12b63
-
SSDEEP
24576:4jHTGAgItSObli5bRJzLxUKJKQFxAEE+a+PhsxjqfNT9Jn2IEtKq5l6/G13Op3pW:8TzMGlUbRhtYgx++zh2qfJH1+poOXZ
Malware Config
Signatures
-
Uses Session Manager for persistence 2 TTPs 1 IoCs
Creates Session Manager registry key to run executable early in system boot.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a000000 bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows32 = "C:\\windows\\system\\Winiupdate.exe" bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Menu Iniciar\Iniciar\WindowsUpdate.exe bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1440 bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe"C:\Users\Admin\AppData\Local\Temp\bcac8096edb170b9aca1fd759a0ea2e8666815832e6dbeeff3a95ce3dafbe403.exe"1⤵
- Uses Session Manager for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:1440