Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
01/09/2023, 03:22
Static task
static1
Behavioral task
behavioral1
Sample
3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe
Resource
win10v2004-20230831-en
General
-
Target
3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe
-
Size
76KB
-
MD5
24aa1892cc9a6e754550df904bdf242c
-
SHA1
63bc9ac9b0ec45517191a7b2e3ededf79907e429
-
SHA256
3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08
-
SHA512
8485fe49bf6d9e376a6093afe12d9e520ae87e5178e3129bc51d4d18cd3dda105ac864360f879aeb7100101e0c205a7044108c68982b97d0b9beeae48753c6e8
-
SSDEEP
768:agO5xRYi+SfSWHHNvvG5bnl/NqNwsKVDstHxYD0p1aXKynF0vQmYZS0HdJnfWOA:RshfSWHHNvoLqNwDDGw02eQmh0HjWOA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3008 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\¢«.exe 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe File created C:\Windows\SysWOW64\notepad¢¬.exe 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe File opened for modification C:\Windows\SysWOW64\¢«.exe 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe File created C:\Windows\system\rundll32.exe 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1693538583" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1693538583" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3008 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 3008 rundll32.exe 3008 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2164 wrote to memory of 3008 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 28 PID 2164 wrote to memory of 3008 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 28 PID 2164 wrote to memory of 3008 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 28 PID 2164 wrote to memory of 3008 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 28 PID 2164 wrote to memory of 3008 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 28 PID 2164 wrote to memory of 3008 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 28 PID 2164 wrote to memory of 3008 2164 3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe"C:\Users\Admin\AppData\Local\Temp\3134871e1d6aeab6d3a5ff5e23e9cde40f50b2f36ce1031403f4457958c1df08.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD558b2e66626b1b479710f5d885ce127cb
SHA122ba66d054beb7c7e9359ea8b326a85ad2a81748
SHA25653971276fd83c5ab85e0d4c258c8951ab005d20a8d198c59862a2478d856742c
SHA5120cf33e3a69933db708f3cfb4a45a1c3e19b6840ead4a985f63f8e423cc18a4e8e11000f94cba90d9a81e2b51a2ac4f5d37d18299c49058bd209a1ae868fe6a45
-
Filesize
74KB
MD5e77bcda4d78e37e95c8fc01a553faff6
SHA108a10794085afb779651ab7aaf24c09652794f14
SHA25683354a632eb1611f53462711108b411fae8de4aa8b65cef3f0c72a76fec89241
SHA512dcfc63e76224fbe21cc03e04bc3876021cd9216239ec5c26c3b7b1473181c7c449b9666323b251a3585d09e57111817d2729291f2d05f00a2a6d4da1579c8cf2
-
Filesize
74KB
MD5e77bcda4d78e37e95c8fc01a553faff6
SHA108a10794085afb779651ab7aaf24c09652794f14
SHA25683354a632eb1611f53462711108b411fae8de4aa8b65cef3f0c72a76fec89241
SHA512dcfc63e76224fbe21cc03e04bc3876021cd9216239ec5c26c3b7b1473181c7c449b9666323b251a3585d09e57111817d2729291f2d05f00a2a6d4da1579c8cf2
-
Filesize
74KB
MD5e77bcda4d78e37e95c8fc01a553faff6
SHA108a10794085afb779651ab7aaf24c09652794f14
SHA25683354a632eb1611f53462711108b411fae8de4aa8b65cef3f0c72a76fec89241
SHA512dcfc63e76224fbe21cc03e04bc3876021cd9216239ec5c26c3b7b1473181c7c449b9666323b251a3585d09e57111817d2729291f2d05f00a2a6d4da1579c8cf2
-
Filesize
74KB
MD5e77bcda4d78e37e95c8fc01a553faff6
SHA108a10794085afb779651ab7aaf24c09652794f14
SHA25683354a632eb1611f53462711108b411fae8de4aa8b65cef3f0c72a76fec89241
SHA512dcfc63e76224fbe21cc03e04bc3876021cd9216239ec5c26c3b7b1473181c7c449b9666323b251a3585d09e57111817d2729291f2d05f00a2a6d4da1579c8cf2