Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2023, 15:19
Static task
static1
Behavioral task
behavioral1
Sample
easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
Resource
win10v2004-20230703-en
General
-
Target
easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
-
Size
293KB
-
MD5
6b829656d61a753eaf0245365227af50
-
SHA1
b1fd0f223b092f89b0e83035317d865d42bd31c2
-
SHA256
cbeb459e3bf48d1e3e940cade5da3c4b25b736d438537b70be01694557dfeb73
-
SHA512
99143497d50c20c28047d00a834b86c226ccd5db3e0684e2fd6a87fd84f3225bb524f6727e055ce22ec7c69216f3be11625f0e91d13d9f18931f453449cc0117
-
SSDEEP
6144:s731bdBaBIMMTQxbDAmGtcWztwjJsrIJ0p92NWukgkivel/KHRmZDT7W7:u1bqDAlq9lgsstgkiWpKKXe
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\ielowutil.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\jabswitch.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\setup.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\notification_helper.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\idlj.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\jarsigner.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\javac.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\LICLUA.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\ieinstal.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\ieinstal.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\chrmstp.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\chrome.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\java-rmi.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX9ECF.tmp easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\javac.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\xdccPrograms\7z.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\msinfo32.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\elevation_service.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\java-rmi.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\xdccPrograms\7zFM.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\TabTip.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\TabTip.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\master_prefere.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX9EAF.tmp easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{23CB782A-F884-4FD9-A86E-FF050DB0921F}.catalogItem svchost.exe File created C:\Windows\SysWOW64\xdccPrograms\7zG.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\ExtExport.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX9E8F.tmp easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\javadoc.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\chrome.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\MavInject32.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\LICLUA.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\OSE.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\extcheck.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\7zFM.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\xdccPrograms\7zG.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\extcheck.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\java.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\OSE.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\elevation_service.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\RCX9E6F.tmp easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\jar.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\DC++ Share\jarsigner.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\java.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File created C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe File opened for modification C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4344
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5b126345317624479f78fbf30b3a1fe5a
SHA1655c966bf7bbf96ee49c83062d30b9dba17d693c
SHA2568723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301
SHA512d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d
-
Filesize
847KB
MD56ffefa6e43221a0b7040f6d50147a91f
SHA1756c783c1b811067c62634d0637bb43e779609a8
SHA256870c644b651c84a2d292a8ca6a43f8aceead3decb40a5d901e10925b18522658
SHA512f907f3a93549cbde8d53059bd6cb1d5c7167daa25fd2577abfe5ec3a051ce7f4866b784106d2019f60267d5eb436aee4d7842bdf629ecdc8b592ee00f85501c0