Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12/01/2023, 21:11
Static task
static1
Behavioral task
behavioral1
Sample
295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe
Resource
win10v2004-20221111-en
General
-
Target
295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe
-
Size
726KB
-
MD5
d0e77b07603d7c8c6f3a3a762836f138
-
SHA1
a2f1f9a447e406b489b984fa5403a36e79d28911
-
SHA256
295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6
-
SHA512
f98b81f9b7cda9bce17a995560b6fa9b21fc1765fd48fd6d468444c4236b4c3bfdf925e14956406d34dd268ced6cd083900f3307601e8404ac1c6c5a53f8e348
-
SSDEEP
12288:vCatIwPtT2lwPtT2VpmxqDbHks2XnFxXKdOUzD1Duc:vzVPtT2OPtT2VpmUHU3F4Tzlu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1700 bootinst.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 604 attrib.exe -
Loads dropped DLL 2 IoCs
pid Process 1732 cmd.exe 1732 cmd.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe File opened (read-only) \??\E: cmd.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1080 wrote to memory of 1732 1080 295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe 28 PID 1080 wrote to memory of 1732 1080 295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe 28 PID 1080 wrote to memory of 1732 1080 295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe 28 PID 1080 wrote to memory of 1732 1080 295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe 28 PID 1732 wrote to memory of 604 1732 cmd.exe 30 PID 1732 wrote to memory of 604 1732 cmd.exe 30 PID 1732 wrote to memory of 604 1732 cmd.exe 30 PID 1732 wrote to memory of 604 1732 cmd.exe 30 PID 1732 wrote to memory of 1700 1732 cmd.exe 31 PID 1732 wrote to memory of 1700 1732 cmd.exe 31 PID 1732 wrote to memory of 1700 1732 cmd.exe 31 PID 1732 wrote to memory of 1700 1732 cmd.exe 31 PID 1732 wrote to memory of 1424 1732 cmd.exe 32 PID 1732 wrote to memory of 1424 1732 cmd.exe 32 PID 1732 wrote to memory of 1424 1732 cmd.exe 32 PID 1732 wrote to memory of 1424 1732 cmd.exe 32 PID 1732 wrote to memory of 1780 1732 cmd.exe 34 PID 1732 wrote to memory of 1780 1732 cmd.exe 34 PID 1732 wrote to memory of 1780 1732 cmd.exe 34 PID 1732 wrote to memory of 1780 1732 cmd.exe 34 PID 1732 wrote to memory of 1124 1732 cmd.exe 36 PID 1732 wrote to memory of 1124 1732 cmd.exe 36 PID 1732 wrote to memory of 1124 1732 cmd.exe 36 PID 1732 wrote to memory of 1124 1732 cmd.exe 36 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 604 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe"C:\Users\Admin\AppData\Local\Temp\295187556d0b67274e12955f54328eeb415b3e4c982332360331dfb7f4cf2df6.exe"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\cmd.execmd.exe /c copy C:\Users\Admin\AppData\Roaming\win7Res\grldr E:\grldr / b>NUL 2>NUL &attrib E:\grldr +h +s +r &C:\Users\Admin\AppData\Roaming\win7Res\bootinst /nt60 E: &cscript C:\Windows\system32\slmgr.vbs -ilc C:\Users\Admin\AppData\Roaming\win7Res\Certificate.xrm-ms &cscript C:\Windows\system32\slmgr.vbs -ipk 49PB6-6BJ6Y-KHGCQ-7DDY6-TF7CD &C:\Windows\system32\svchost.exe -k LocalService2⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\attrib.exeattrib E:\grldr +h +s +r3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:604
-
-
C:\Users\Admin\AppData\Roaming\win7Res\bootinst.exeC:\Users\Admin\AppData\Roaming\win7Res\bootinst /nt60 E:3⤵
- Executes dropped EXE
PID:1700
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs -ilc C:\Users\Admin\AppData\Roaming\win7Res\Certificate.xrm-ms3⤵PID:1424
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Windows\system32\slmgr.vbs -ipk 49PB6-6BJ6Y-KHGCQ-7DDY6-TF7CD3⤵PID:1780
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:1124
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f25832af6a684360950dbb15589de34a
SHA117ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f
-
Filesize
85KB
MD570c5f6f69cdc6c5b8240622cf7d90380
SHA1d7fa00497a3d3279b547dfc913e23052b9287060
SHA256d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be
SHA512447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798
-
Filesize
85KB
MD570c5f6f69cdc6c5b8240622cf7d90380
SHA1d7fa00497a3d3279b547dfc913e23052b9287060
SHA256d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be
SHA512447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798
-
Filesize
199KB
MD5560b738b2357d5a92190d4ddf2966991
SHA15d3ed31bd12c97eadc594bcf10e758a67c4e7552
SHA25638c658da9d95ef05fea051054f021bfbfed67b7aff32a996a4b32edc9f31c287
SHA5127a25caacf68367a64d81fdb5a5629cb60dbca4425b27987d0c0885da0bfbfd410f0ea77810552a00601bcb32855f575a00082c9c4fbb78a591d0cc24ad09ecf3
-
Filesize
199KB
MD5560b738b2357d5a92190d4ddf2966991
SHA15d3ed31bd12c97eadc594bcf10e758a67c4e7552
SHA25638c658da9d95ef05fea051054f021bfbfed67b7aff32a996a4b32edc9f31c287
SHA5127a25caacf68367a64d81fdb5a5629cb60dbca4425b27987d0c0885da0bfbfd410f0ea77810552a00601bcb32855f575a00082c9c4fbb78a591d0cc24ad09ecf3
-
Filesize
85KB
MD570c5f6f69cdc6c5b8240622cf7d90380
SHA1d7fa00497a3d3279b547dfc913e23052b9287060
SHA256d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be
SHA512447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798
-
Filesize
85KB
MD570c5f6f69cdc6c5b8240622cf7d90380
SHA1d7fa00497a3d3279b547dfc913e23052b9287060
SHA256d7aba1fa037041412052bfdc0127d44bd63597bf01151058d3edf585186387be
SHA512447ffe8f7216e38695a85e09e5085564ec6d4b35c6770ee8864300fbaad50b0855f9535f1c0fb78a57b090cec9478e24338c8ef54b4986b87abcfdde986df798