Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13/06/2023, 13:47
Behavioral task
behavioral1
Sample
02270099.exe
Resource
win7-20230220-en
7 signatures
150 seconds
General
-
Target
02270099.exe
-
Size
65KB
-
MD5
176b6e4649ccebe0f73d40146d0b7fa1
-
SHA1
4941b675ed6aae118932f8ced2b1db3f52a6eab3
-
SHA256
47dba610a04ef1d7f18a795108cf9e62d2d6e9e22f0fba51143462f4d569a70d
-
SHA512
ac1b8b695c9c0b3afebf4b7277b638b1317399c2dc910b2cd26ae9e548dc684974ede9f3e14268dfda3ce901ee23ac74663a06386e403a652cca070ed557f78a
-
SSDEEP
1536:1E1SjujsC8XANkPZgJkM8Ydwqo0fdWoz5I9lKcfc6hxRGS+w:mLjsXANkR/fkfdWolI9AiDZ
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat hlfdevice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections hlfdevice.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" hlfdevice.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 hlfdevice.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4775B66-D9DD-4313-B723-31654260FDC5}\WpadNetworkName = "Network 3" hlfdevice.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 hlfdevice.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" hlfdevice.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4775B66-D9DD-4313-B723-31654260FDC5}\WpadDecisionReason = "1" hlfdevice.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings hlfdevice.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" hlfdevice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad hlfdevice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4775B66-D9DD-4313-B723-31654260FDC5} hlfdevice.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4775B66-D9DD-4313-B723-31654260FDC5}\WpadDecision = "0" hlfdevice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4775B66-D9DD-4313-B723-31654260FDC5}\8a-67-be-39-08-10 hlfdevice.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-67-be-39-08-10\WpadDecisionReason = "1" hlfdevice.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-67-be-39-08-10\WpadDecisionTime = c09c28a4fd9dd901 hlfdevice.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix hlfdevice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings hlfdevice.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 hlfdevice.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4775B66-D9DD-4313-B723-31654260FDC5}\WpadDecisionTime = c09c28a4fd9dd901 hlfdevice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-67-be-39-08-10 hlfdevice.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-67-be-39-08-10\WpadDecision = "0" hlfdevice.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1336 hlfdevice.exe 1336 hlfdevice.exe 1336 hlfdevice.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1184 02270099.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1868 wrote to memory of 1184 1868 02270099.exe 26 PID 1868 wrote to memory of 1184 1868 02270099.exe 26 PID 1868 wrote to memory of 1184 1868 02270099.exe 26 PID 1868 wrote to memory of 1184 1868 02270099.exe 26 PID 1400 wrote to memory of 1336 1400 hlfdevice.exe 28 PID 1400 wrote to memory of 1336 1400 hlfdevice.exe 28 PID 1400 wrote to memory of 1336 1400 hlfdevice.exe 28 PID 1400 wrote to memory of 1336 1400 hlfdevice.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\02270099.exe"C:\Users\Admin\AppData\Local\Temp\02270099.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\02270099.exe--7bdb350b2⤵
- Suspicious behavior: RenamesItself
PID:1184
-
-
C:\Windows\SysWOW64\hlfdevice.exe"C:\Windows\SysWOW64\hlfdevice.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\hlfdevice.exe--1c25e6ce2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1336
-