Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
14/11/2023, 19:10
General
-
Target
4ae26fb45091aa7df4f1fee978d786b5534ce6d1d4b2045f1eed94418918c890.exe
-
Size
1.3MB
-
MD5
3abcd9dbaca01dcae09569ec7c683542
-
SHA1
4bf7aaa067bece0b0d100a12060296962e91a7fe
-
SHA256
4ae26fb45091aa7df4f1fee978d786b5534ce6d1d4b2045f1eed94418918c890
-
SHA512
7b85b1125905eef426c81e1471865af0d37bc36450147ed45dae6fc2a6278602db212a14baa9e3b3d0958c63ed147bcd95dcd8cc950a8ed907f780c86edeb716
-
SSDEEP
24576:DrsYD6+IeW9/4G4QZw//e26fpruGILBVRTwwp+K556h8ZxGZl1MCamBVRTwwpq:cG6+Ip934iqBVRTwwp+456kily3mBVR0
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ae26fb45091aa7df4f1fee978d786b5534ce6d1d4b2045f1eed94418918c890.exe"C:\Users\Admin\AppData\Local\Temp\4ae26fb45091aa7df4f1fee978d786b5534ce6d1d4b2045f1eed94418918c890.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4ae26fb45091aa7df4f1fee978d786b5534ce6d1d4b2045f1eed94418918c890.exeC:\Users\Admin\AppData\Local\Temp\4ae26fb45091aa7df4f1fee978d786b5534ce6d1d4b2045f1eed94418918c890.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- System policy modification
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD539a2cc63eb685e59f13b936a7a668a7e
SHA166228dfa586d19d70411100e94ba19585220d7ec
SHA2566404ce311622663375f4215a5c271f9540ee85ee3d9847b02a372129ccdf3a32
SHA512ce6de0a09051097a61015f47cae775845fc070590088da5334209a91b6688e334d27e6aeb3ca27b22b796e650cf37534692c33eeb0b850ff8583e41546fc3c06
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
1.3MB
MD539a2cc63eb685e59f13b936a7a668a7e
SHA166228dfa586d19d70411100e94ba19585220d7ec
SHA2566404ce311622663375f4215a5c271f9540ee85ee3d9847b02a372129ccdf3a32
SHA512ce6de0a09051097a61015f47cae775845fc070590088da5334209a91b6688e334d27e6aeb3ca27b22b796e650cf37534692c33eeb0b850ff8583e41546fc3c06
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
360KB
-
Filesize
360KB
-
Filesize
360KB