Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
4Static
static
4.SIGN.RSA....sa.pub
windows7-x64
4.SIGN.RSA....sa.pub
windows10-2004-x64
3usr/bin/an...munity
ubuntu-18.04-amd64
1usr/bin/an...munity
debian-9-armhf
usr/bin/an...munity
debian-9-mips
usr/bin/an...munity
debian-9-mipsel
usr/lib/py...ect.py
windows7-x64
3usr/lib/py...ect.py
windows10-2004-x64
3usr/lib/py...ons.py
windows7-x64
3usr/lib/py...ons.py
windows10-2004-x64
3usr/lib/py...ole.py
windows7-x64
3usr/lib/py...ole.py
windows10-2004-x64
usr/lib/py...aws.py
windows7-x64
3usr/lib/py...aws.py
windows10-2004-x64
usr/lib/py...als.py
windows7-x64
3usr/lib/py...als.py
windows10-2004-x64
3usr/lib/py...ion.py
windows7-x64
3usr/lib/py...ion.py
windows10-2004-x64
usr/lib/py...to3.py
windows7-x64
3usr/lib/py...to3.py
windows10-2004-x64
usr/lib/py...mon.py
windows7-x64
3usr/lib/py...mon.py
windows10-2004-x64
3usr/lib/py...ec2.py
windows7-x64
3usr/lib/py...ec2.py
windows10-2004-x64
3usr/lib/py...ion.py
windows7-x64
3usr/lib/py...ion.py
windows10-2004-x64
3usr/lib/py...ags.py
windows7-x64
3usr/lib/py...ags.py
windows10-2004-x64
usr/lib/py...ec2.py
windows7-x64
3usr/lib/py...ec2.py
windows10-2004-x64
3usr/lib/py...rds.py
windows7-x64
3usr/lib/py...rds.py
windows10-2004-x64
3Analysis
-
max time kernel
44s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
07/10/2023, 23:33
Behavioral task
behavioral3
Sample
usr/bin/ansible-community
Resource
ubuntu1804-amd64-20230831-en
Behavioral task
behavioral4
Sample
usr/bin/ansible-community
Resource
debian9-armhf-20230831-en
Behavioral task
behavioral5
Sample
usr/bin/ansible-community
Resource
debian9-mipsbe-20230831-en
Behavioral task
behavioral6
Sample
usr/bin/ansible-community
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral7
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/action/s3_object.py
Resource
win7-20230831-en
Behavioral task
behavioral8
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/action/s3_object.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral9
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/callback/aws_resource_actions.py
Resource
win7-20230831-en
Behavioral task
behavioral10
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/callback/aws_resource_actions.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral11
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/assume_role.py
Resource
win7-20230831-en
Behavioral task
behavioral12
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/assume_role.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral13
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/aws.py
Resource
win7-20230831-en
Behavioral task
behavioral14
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/aws.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral15
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/aws_credentials.py
Resource
win7-20230831-en
Behavioral task
behavioral16
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/aws_credentials.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral17
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/aws_region.py
Resource
win7-20230831-en
Behavioral task
behavioral18
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/aws_region.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral19
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/boto3.py
Resource
win7-20230831-en
Behavioral task
behavioral20
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/boto3.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral21
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/common.py
Resource
win7-20230831-en
Behavioral task
behavioral22
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/common.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral23
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/ec2.py
Resource
win7-20230831-en
Behavioral task
behavioral24
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/ec2.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral25
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/region.py
Resource
win7-20230831-en
Behavioral task
behavioral26
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/region.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral27
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/tags.py
Resource
win7-20230831-en
Behavioral task
behavioral28
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/doc_fragments/tags.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral29
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/inventory/aws_ec2.py
Resource
win7-20230831-en
Behavioral task
behavioral30
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/inventory/aws_ec2.py
Resource
win10v2004-20230915-en
Behavioral task
behavioral31
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/inventory/aws_rds.py
Resource
win7-20230831-en
Behavioral task
behavioral32
Sample
usr/lib/python3.11/site-packages/ansible_collections/amazon/aws/plugins/inventory/aws_rds.py
Resource
win10v2004-20230915-en
General
-
Target
-
Size
512B
-
MD5
e0ed66a6299f440037dbcefed3a509d8
-
SHA1
b2f31b5f8e78e7ef064e73c5bed4e27f1b8093a4
-
SHA256
42ff56a2ca940a628d4b11a34043d5789c330fd2dd279947b78f3fe998e122e9
-
SHA512
cba851442e9c6bdec7c2f2b398edb8b688255bafc6fe4c8dbefc995276505deeb1e9e5bdbf65217f6b532690e2e79012f9f83ff4178da8a436b2d434729f96cd
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log MSPUB.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar MSPUB.EXE Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" MSPUB.EXE Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" MSPUB.EXE Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" MSPUB.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt MSPUB.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote MSPUB.EXE Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" MSPUB.EXE Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" MSPUB.EXE Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel MSPUB.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2612 MSPUB.EXE 2612 MSPUB.EXE 2612 MSPUB.EXE 2612 MSPUB.EXE 2612 MSPUB.EXE 2612 MSPUB.EXE 2612 MSPUB.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2496 2612 MSPUB.EXE 31 PID 2612 wrote to memory of 2496 2612 MSPUB.EXE 31 PID 2612 wrote to memory of 2496 2612 MSPUB.EXE 31 PID 2612 wrote to memory of 2496 2612 MSPUB.EXE 31
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE"C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE" C:\Users\Admin\AppData\Local\Temp\[email protected]1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2496
-