Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
24/08/2023, 03:39
Static task
static1
Behavioral task
behavioral1
Sample
56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe
Resource
win10v2004-20230703-en
General
-
Target
56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe
-
Size
2.0MB
-
MD5
f5761384565fc1a806792069b45cd1e4
-
SHA1
ce32658bec751ba9dee7f8999ca4d070d4360662
-
SHA256
56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30
-
SHA512
753c18a32164e66f2a13f6767ea1e570ea785d4c8a9e6fab837ef5e41d3878b65d5fa06885c27ac15f38e6f2cdd1f53332b267eabf6804f470487fa87a44ceb4
-
SSDEEP
24576:SZkyGrwZtVvF4xQbv9XlWmYYLqBzu7shQs2dSGs0ED0ICvK/rXTFHDhrx:zYvDbvdlNYYLq9uFsx0Eycp
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options regini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options regini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "D:\\\\www.ini" 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0009000000012024-1.dat acprotect -
Loads dropped DLL 2 IoCs
pid Process 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe -
resource yara_rule behavioral1/files/0x0009000000012024-1.dat upx behavioral1/memory/2232-5-0x00000000747C0000-0x00000000747FC000-memory.dmp upx behavioral1/memory/2232-13-0x00000000747C0000-0x00000000747FC000-memory.dmp upx behavioral1/memory/2232-14-0x00000000747C0000-0x00000000747FC000-memory.dmp upx behavioral1/memory/2232-19-0x00000000747C0000-0x00000000747FC000-memory.dmp upx behavioral1/memory/2232-21-0x00000000747C0000-0x00000000747FC000-memory.dmp upx behavioral1/memory/2232-25-0x00000000747C0000-0x00000000747FC000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe" 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2448 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe 28 PID 2232 wrote to memory of 2448 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe 28 PID 2232 wrote to memory of 2448 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe 28 PID 2232 wrote to memory of 2448 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe 28 PID 2232 wrote to memory of 2028 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe 30 PID 2232 wrote to memory of 2028 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe 30 PID 2232 wrote to memory of 2028 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe 30 PID 2232 wrote to memory of 2028 2232 56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe"C:\Users\Admin\AppData\Local\Temp\56365c7ec39590c392043900a936c6c76a4104c010c31e15588fc01b4c8b9a30.exe"1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\regini.exeregini www.ini2⤵
- Sets file execution options in registry
PID:2448
-
-
C:\Windows\SysWOW64\regini.exeregini www.ini2⤵
- Sets file execution options in registry
PID:2028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101B
MD5df98f458d660ecdf388d0d7098b92879
SHA14bf6e30eb206475678d13860b72fd89792e177cd
SHA256ce80722c95f952938a53b800a0633bf85625c06ad7d6cc9c9c3a8d5ee1f4d979
SHA5120ce2c057b5ae123d8d98f6032b80ea273573223976a60fb86a29ffeff4234598d828da6d28476f12e9938887d2c11fbb1fd3b18290efdc102b210c9146803778
-
Filesize
101B
MD5df98f458d660ecdf388d0d7098b92879
SHA14bf6e30eb206475678d13860b72fd89792e177cd
SHA256ce80722c95f952938a53b800a0633bf85625c06ad7d6cc9c9c3a8d5ee1f4d979
SHA5120ce2c057b5ae123d8d98f6032b80ea273573223976a60fb86a29ffeff4234598d828da6d28476f12e9938887d2c11fbb1fd3b18290efdc102b210c9146803778
-
Filesize
97KB
MD5c35425ad1f0c32225d307310deccc335
SHA1b2e347b244e40ffa113dffaffd1895777e3ac30a
SHA25648773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7
SHA51247b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae
-
Filesize
892KB
MD592849a63d136bcbdc7e2def718f25237
SHA132abf6345009816ea6234e3581d3d2a922ca467d
SHA25646f7490e9c9b08aaf416e72419e0e4f603415afb58572738df19fb951ae704c4
SHA512f85e984492a24225cc3202a0160f5ed2b2a2a8bcbf87a62049f60ed286986ed741971bb45ced9226002051917b8ee85fe17a9861fbb8d3285abae3be686ae5d8