Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
16/10/2023, 12:29
Static task
static1
Behavioral task
behavioral1
Sample
672e9f77574046d921e0c85e32525d80b471d3c347062a507b18264c9c9325e0.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
672e9f77574046d921e0c85e32525d80b471d3c347062a507b18264c9c9325e0.exe
Resource
win10v2004-20230915-en
General
-
Target
672e9f77574046d921e0c85e32525d80b471d3c347062a507b18264c9c9325e0.exe
-
Size
3.0MB
-
MD5
ffce553470a65773e95908f4a62f438a
-
SHA1
ab725462d57540813fcf1003ed74f82d31b50958
-
SHA256
672e9f77574046d921e0c85e32525d80b471d3c347062a507b18264c9c9325e0
-
SHA512
bbe5a8179db57b6b33948f0e98ffcd349f1908c5ab601cde7d4a5fcaa364c9768962b9ca83fb25f35862e78d4df7d8952a60f083137b4299fd112393b5de6e28
-
SSDEEP
49152:D7TvfU+8X9GrNOsva5RbKhF3ANkTTlhOnsgvP5YzDhtj:Q+8X9G3vP3AMLOsgvPqb
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1860 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe Token: SeShutdownPrivilege 1860 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe 1860 explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\672e9f77574046d921e0c85e32525d80b471d3c347062a507b18264c9c9325e0.exe"C:\Users\Admin\AppData\Local\Temp\672e9f77574046d921e0c85e32525d80b471d3c347062a507b18264c9c9325e0.exe"1⤵PID:320
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1860