Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
24/10/2023, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe
Resource
win10v2004-20231020-en
General
-
Target
edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe
-
Size
2.7MB
-
MD5
a1c2538bfc8c09de60359bfa02e06345
-
SHA1
6d0fb1dcf1d1749c37eff6521a2b24013b369912
-
SHA256
edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990
-
SHA512
86e7397d3e817d299beb61332a94ebe55872df66c2d56315243806a917e01c916741fad83c7d10283deb2c80ac4de816aee396f489ebba4eddd8cba1073a6c91
-
SSDEEP
24576:C+BfpxcseE3rZEw0zzTXrs2YPTEXs13E1RF1Ydx//9Pld:CmfDcmZEwII2YPTa15o
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1728 Sevesc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\ϵͳÉý¼¶×é¼þ = "C:\\Windows\\Sevesc.exe" Sevesc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Sevesc.exe edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe File opened for modification C:\Windows\Sevesc.exe edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe File opened for modification C:\Windows\Sevesc.exe Sevesc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sevesc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Sevesc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe 1728 Sevesc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1688 edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe 1688 edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe 1728 Sevesc.exe 1728 Sevesc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1728 1688 edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe 28 PID 1688 wrote to memory of 1728 1688 edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe 28 PID 1688 wrote to memory of 1728 1688 edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe 28 PID 1688 wrote to memory of 1728 1688 edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe"C:\Users\Admin\AppData\Local\Temp\edf17c9cf70f0213d7ffc5d9fe33ecdeebf3ad374106801b12ec081a146f9990.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\Sevesc.exeC:\Windows\\Sevesc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145KB
MD56dcf6c2ee786ab5a1d46a05a5caa2566
SHA1cc07d909162c538e44f600076f2b7e6ee0b48d46
SHA2563d377695125c008ac6e8d8bfe4ed8fa0f7ac2f8da23ba06ab5feb586e86b1056
SHA51256ba40f87e16e6397e971c6fc908d0ec0aaeb16b959b01695648894b3679273b6a86a833935ba79803dc7c83be639c8c4c2810b6049973efe36cf812a626755b
-
Filesize
145KB
MD56dcf6c2ee786ab5a1d46a05a5caa2566
SHA1cc07d909162c538e44f600076f2b7e6ee0b48d46
SHA2563d377695125c008ac6e8d8bfe4ed8fa0f7ac2f8da23ba06ab5feb586e86b1056
SHA51256ba40f87e16e6397e971c6fc908d0ec0aaeb16b959b01695648894b3679273b6a86a833935ba79803dc7c83be639c8c4c2810b6049973efe36cf812a626755b
-
Filesize
145KB
MD56dcf6c2ee786ab5a1d46a05a5caa2566
SHA1cc07d909162c538e44f600076f2b7e6ee0b48d46
SHA2563d377695125c008ac6e8d8bfe4ed8fa0f7ac2f8da23ba06ab5feb586e86b1056
SHA51256ba40f87e16e6397e971c6fc908d0ec0aaeb16b959b01695648894b3679273b6a86a833935ba79803dc7c83be639c8c4c2810b6049973efe36cf812a626755b