Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 13:51
Static task
static1
Behavioral task
behavioral1
Sample
b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe
Resource
win10v2004-20230915-en
General
-
Target
b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe
-
Size
80KB
-
MD5
af751f552eb2bdc941fa1c9c6da9b12f
-
SHA1
241823daabcd3be14acd1e5989b8c51d0dee418c
-
SHA256
b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c
-
SHA512
ae373083385af78988973bb8deb18e0a4e60176d54797c989f293f837e1ff2ed03810079e34f37cec6d81b46964f6f894ba2167c419173713f747b7be5e88cf8
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWOr0p9:GhfxHNIreQm+Hi40p9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2492 rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\¢«.exe b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe File created C:\Windows\SysWOW64\¢«.exe b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe File created C:\Windows\SysWOW64\notepad¢¬.exe b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe File created C:\Windows\system\rundll32.exe b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1697438334" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1697438334" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2492 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 2492 rundll32.exe 2492 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1380 wrote to memory of 2492 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 83 PID 1380 wrote to memory of 2492 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 83 PID 1380 wrote to memory of 2492 1380 b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe"C:\Users\Admin\AppData\Local\Temp\b7da9b80d0cbe72dca79b2e5eec26d8c7329fcf47394bffb6d13fda39c95ff8c.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5daf685cd88ff11511590fe29b4757092
SHA153ad216acb80dabf8dce247785972460c0085f9b
SHA25656e98a41fd813d4720c094234bfe2081734ee4688bae3e8c253e8caca8cc0f43
SHA5125f752c32b0c0e78abc02d2f8118a9765d3e30ea7939d1e320ce08fb0568f337cf1a5fd3127123130126fd5b4efcb59056772a71b6572537ec4219bc35a504878
-
Filesize
80KB
MD5cffe73b8514ddd4db1605795bb4b4766
SHA104feeecf25603b5721dd2384e81572661a4fd8f7
SHA2567682453dd2dfa3e5cabc7b4cc4f97269f12fa52886115d1a04a48aeceacc1ff0
SHA5127ae643a26d1d22905fa68031c47842bd4c94d008d9503ea493a0749e3f048a48564f275a951af319201b2b9665427f8df17ebcc4b5b9dca350f73103dbe1efe2
-
Filesize
80KB
MD5cffe73b8514ddd4db1605795bb4b4766
SHA104feeecf25603b5721dd2384e81572661a4fd8f7
SHA2567682453dd2dfa3e5cabc7b4cc4f97269f12fa52886115d1a04a48aeceacc1ff0
SHA5127ae643a26d1d22905fa68031c47842bd4c94d008d9503ea493a0749e3f048a48564f275a951af319201b2b9665427f8df17ebcc4b5b9dca350f73103dbe1efe2