Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
15/10/2023, 19:42
Behavioral task
behavioral1
Sample
aa56ab41ce654f992662484f13a7fc80_exe32.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
aa56ab41ce654f992662484f13a7fc80_exe32.exe
Resource
win10v2004-20230915-en
General
-
Target
aa56ab41ce654f992662484f13a7fc80_exe32.exe
-
Size
19KB
-
MD5
aa56ab41ce654f992662484f13a7fc80
-
SHA1
b2f068033bee68608773dbf41a7a24a9e1773877
-
SHA256
bff4f0d2bbc300897e337678afc5bc992e34e400b11dcb8529066e0a000a1919
-
SHA512
c8e18d98ea352cbed2bc2b3bb61a829166cb25628eea02973625053353a072f379a061f26c6b16ab83fa6531a0829931396bdca1ff4c84788f30d6a459c254e2
-
SSDEEP
384:y6l3OmWqRRsHESTnJEkZAnoAO218NHdyTsvMfU:yK3wESTWOO8NHdRvyU
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run aa56ab41ce654f992662484f13a7fc80_exe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft Web = "C:\\Users\\Admin\\AppData\\Roaming\\win32web.exe" aa56ab41ce654f992662484f13a7fc80_exe32.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run aa56ab41ce654f992662484f13a7fc80_exe32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft Web = "C:\\Users\\Admin\\AppData\\Roaming\\win32web.exe" aa56ab41ce654f992662484f13a7fc80_exe32.exe -
resource yara_rule behavioral1/memory/1168-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/files/0x0009000000012020-7.dat upx behavioral1/memory/1168-39-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Web = "C:\\Users\\Admin\\AppData\\Roaming\\win32web.exe" aa56ab41ce654f992662484f13a7fc80_exe32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Web = "C:\\Users\\Admin\\AppData\\Roaming\\win32web.exe" aa56ab41ce654f992662484f13a7fc80_exe32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1168 aa56ab41ce654f992662484f13a7fc80_exe32.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1168 aa56ab41ce654f992662484f13a7fc80_exe32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1168 aa56ab41ce654f992662484f13a7fc80_exe32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa56ab41ce654f992662484f13a7fc80_exe32.exe"C:\Users\Admin\AppData\Local\Temp\aa56ab41ce654f992662484f13a7fc80_exe32.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5e8d645a287d5fd7abc05701b0ce35c83
SHA1ba53dd42afc884bbec94c303428a4b1022abaae2
SHA256223c1d38014eb92db065d5fb57f0dfdbf8c1300c81fbc209b059b5d1585d6c61
SHA5125670ce12292c0cad3ffbbed2679c87b263e23c488e5082e0aa1f04cb72fb6aa7e7eab1a20d841f9dcec26ee8def5226fe1bc6f560acc23b803b61ee2841b9855