Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10/01/2023, 02:15
Static task
static1
Behavioral task
behavioral1
Sample
c16bf77fcc5c44599d6498330322817771cc351c.exe
Resource
win7-20220901-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
c16bf77fcc5c44599d6498330322817771cc351c.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
c16bf77fcc5c44599d6498330322817771cc351c.exe
-
Size
393KB
-
MD5
352e7453f1dfb7af3d26702bf6717f6f
-
SHA1
c16bf77fcc5c44599d6498330322817771cc351c
-
SHA256
8234e9a2c8f6261ad19fcd2e44aeb1abcfc193b47a82e6ce3c8b325e82057a99
-
SHA512
f0900cc289ce1381694cad3b5121704de0fb77d705b4bb75d221f14039493cafa9bdefd018757727661a8d73158d3946a856b34ffc77fc6654d3699d49f37712
-
SSDEEP
6144:pMwPfMXE8RBlYmP4I99mGJKko33SURApteIR0BhOyC4K6/U8a0fFvG:pv8RBmmgbGMF33SU+tDRqhG6/U8aKFu
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c16bf77fcc5c44599d6498330322817771cc351c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c16bf77fcc5c44599d6498330322817771cc351c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" c16bf77fcc5c44599d6498330322817771cc351c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c16bf77fcc5c44599d6498330322817771cc351c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c16bf77fcc5c44599d6498330322817771cc351c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" F4D55F6500014973000C7881B4EB2331.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2000 F4D55F6500014973000C7881B4EB2331.exe -
Deletes itself 1 IoCs
pid Process 2000 F4D55F6500014973000C7881B4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c16bf77fcc5c44599d6498330322817771cc351c.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc c16bf77fcc5c44599d6498330322817771cc351c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c16bf77fcc5c44599d6498330322817771cc351c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c16bf77fcc5c44599d6498330322817771cc351c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc c16bf77fcc5c44599d6498330322817771cc351c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" F4D55F6500014973000C7881B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" F4D55F6500014973000C7881B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c16bf77fcc5c44599d6498330322817771cc351c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" c16bf77fcc5c44599d6498330322817771cc351c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" F4D55F6500014973000C7881B4EB2331.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\F4D55F6500014973000C7881B4EB2331 = "C:\\ProgramData\\F4D55F6500014973000C7881B4EB2331\\F4D55F6500014973000C7881B4EB2331.exe" F4D55F6500014973000C7881B4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2000 F4D55F6500014973000C7881B4EB2331.exe 2000 F4D55F6500014973000C7881B4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2000 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 27 PID 1408 wrote to memory of 2000 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 27 PID 1408 wrote to memory of 2000 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 27 PID 1408 wrote to memory of 2000 1408 c16bf77fcc5c44599d6498330322817771cc351c.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\c16bf77fcc5c44599d6498330322817771cc351c.exe"C:\Users\Admin\AppData\Local\Temp\c16bf77fcc5c44599d6498330322817771cc351c.exe"1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\ProgramData\F4D55F6500014973000C7881B4EB2331\F4D55F6500014973000C7881B4EB2331.exe"C:\ProgramData\F4D55F6500014973000C7881B4EB2331\F4D55F6500014973000C7881B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\c16bf77fcc5c44599d6498330322817771cc351c.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2000
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
393KB
MD5352e7453f1dfb7af3d26702bf6717f6f
SHA1c16bf77fcc5c44599d6498330322817771cc351c
SHA2568234e9a2c8f6261ad19fcd2e44aeb1abcfc193b47a82e6ce3c8b325e82057a99
SHA512f0900cc289ce1381694cad3b5121704de0fb77d705b4bb75d221f14039493cafa9bdefd018757727661a8d73158d3946a856b34ffc77fc6654d3699d49f37712
-
Filesize
393KB
MD5352e7453f1dfb7af3d26702bf6717f6f
SHA1c16bf77fcc5c44599d6498330322817771cc351c
SHA2568234e9a2c8f6261ad19fcd2e44aeb1abcfc193b47a82e6ce3c8b325e82057a99
SHA512f0900cc289ce1381694cad3b5121704de0fb77d705b4bb75d221f14039493cafa9bdefd018757727661a8d73158d3946a856b34ffc77fc6654d3699d49f37712
-
Filesize
393KB
MD5352e7453f1dfb7af3d26702bf6717f6f
SHA1c16bf77fcc5c44599d6498330322817771cc351c
SHA2568234e9a2c8f6261ad19fcd2e44aeb1abcfc193b47a82e6ce3c8b325e82057a99
SHA512f0900cc289ce1381694cad3b5121704de0fb77d705b4bb75d221f14039493cafa9bdefd018757727661a8d73158d3946a856b34ffc77fc6654d3699d49f37712
-
Filesize
393KB
MD5352e7453f1dfb7af3d26702bf6717f6f
SHA1c16bf77fcc5c44599d6498330322817771cc351c
SHA2568234e9a2c8f6261ad19fcd2e44aeb1abcfc193b47a82e6ce3c8b325e82057a99
SHA512f0900cc289ce1381694cad3b5121704de0fb77d705b4bb75d221f14039493cafa9bdefd018757727661a8d73158d3946a856b34ffc77fc6654d3699d49f37712