Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
17/11/2023, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
-
Size
211KB
-
MD5
3aa153304f53a2ea33e4c74a4ad07dd0
-
SHA1
620eb2916f6c484e6ddc95932e8ef7b3720a137f
-
SHA256
91e8a25e056ef3d6d6c733170ba9ae92e2dac95866c2c7ef865eb97cf77b91b1
-
SHA512
b16947b8f6b7558dc410657032722520dc9b7491045763ca071133b358904b15a795017d99adba66ea08843f2094951b137335456776a6e21f8fcbf81fc6af8a
-
SSDEEP
3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1Fqnj:b1iNKQxENHLfMgw7y9Zrs
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2104 userinit.exe 2888 spoolsw.exe 2624 swchost.exe 2604 spoolsw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\swchost.exe spoolsw.exe File opened for modification \??\c:\windows\userinit.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe swchost.exe File opened for modification \??\c:\windows\userinit.exe NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe File opened for modification \??\c:\windows\spoolsw.exe userinit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 764 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 2104 userinit.exe 2104 userinit.exe 2104 userinit.exe 2624 swchost.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe 2104 userinit.exe 2624 swchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2104 userinit.exe 2624 swchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 764 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 764 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 2104 userinit.exe 2104 userinit.exe 2888 spoolsw.exe 2888 spoolsw.exe 2624 swchost.exe 2624 swchost.exe 2604 spoolsw.exe 2604 spoolsw.exe 2104 userinit.exe 2104 userinit.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 764 wrote to memory of 2104 764 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 29 PID 764 wrote to memory of 2104 764 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 29 PID 764 wrote to memory of 2104 764 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 29 PID 764 wrote to memory of 2104 764 NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe 29 PID 2104 wrote to memory of 2888 2104 userinit.exe 30 PID 2104 wrote to memory of 2888 2104 userinit.exe 30 PID 2104 wrote to memory of 2888 2104 userinit.exe 30 PID 2104 wrote to memory of 2888 2104 userinit.exe 30 PID 2888 wrote to memory of 2624 2888 spoolsw.exe 31 PID 2888 wrote to memory of 2624 2888 spoolsw.exe 31 PID 2888 wrote to memory of 2624 2888 spoolsw.exe 31 PID 2888 wrote to memory of 2624 2888 spoolsw.exe 31 PID 2624 wrote to memory of 2604 2624 swchost.exe 32 PID 2624 wrote to memory of 2604 2624 swchost.exe 32 PID 2624 wrote to memory of 2604 2624 swchost.exe 32 PID 2624 wrote to memory of 2604 2624 swchost.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\windows\userinit.exec:\windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\windows\swchost.exec:\windows\swchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5eadf51ad1695128b070f2fa4f0956991
SHA1c69ef227a11445ce37a7db30880a1c25fbe0dfe9
SHA256f742b4a5e3283f21a1c2616faf2cda521fcf3fbd2cd887e144b8f2804a84169b
SHA512b1b83abfa1baa2826a67e9460dc0b5e004787f8bbe5413ed344488c1df8f7e018ce5f4c2368bbfcda6b9a2b3662adbb3884b7bb5befe83899e9f371e5c3b40c1
-
Filesize
211KB
MD57399365c217819b86b7eaa6a5f283cd0
SHA199a0b753c4d5ec07c6771445ed0ac76fd53906e9
SHA2569a620f754391ab893285c1b6f2ccd80551608da85cd319627398e2c0e296adf5
SHA512abee12c63444c453b759c597016b174601ce4ea80cddfca8731b1d7a4a12f9e0f02323c28bed0acee3bc32b9217bb0ef0b5acee7ef272609eff9609abb7323a4
-
Filesize
211KB
MD57399365c217819b86b7eaa6a5f283cd0
SHA199a0b753c4d5ec07c6771445ed0ac76fd53906e9
SHA2569a620f754391ab893285c1b6f2ccd80551608da85cd319627398e2c0e296adf5
SHA512abee12c63444c453b759c597016b174601ce4ea80cddfca8731b1d7a4a12f9e0f02323c28bed0acee3bc32b9217bb0ef0b5acee7ef272609eff9609abb7323a4
-
Filesize
211KB
MD51f32dbbf091651b3c357dfd88fa228e2
SHA16d30ef9eee3e8708d8fda2d4f40d87ceac05739e
SHA256660dea3a2c1925eef7a9e7882a2de3aca0a56c843e75fda5f644cd9a5c60b0f5
SHA51236cc1bf5b85d5e1c1fa90fb8c9becac22f4baab864016cfc96685afd5c548e04d579c8a39b2572deba24225763ab2b43e36252aadb8832fe31d54b7a87f9735e
-
Filesize
211KB
MD5c0098356e98ab3681b66102567bdc4bd
SHA112f6ff757a1ea1de06de0fdda0fc50660211e495
SHA256a7da676df7732697313594dac461ddd4bebb8940129a0f8b078dcefd3b485f79
SHA51211106e9116d48c56ec7234d427f9c4af004061aba449ec221d155b9d5b133e17232fa8ee8075be3c054e5233992e1c74b5d774e0e4f81a5b08494274bf71af2e
-
Filesize
211KB
MD5c0098356e98ab3681b66102567bdc4bd
SHA112f6ff757a1ea1de06de0fdda0fc50660211e495
SHA256a7da676df7732697313594dac461ddd4bebb8940129a0f8b078dcefd3b485f79
SHA51211106e9116d48c56ec7234d427f9c4af004061aba449ec221d155b9d5b133e17232fa8ee8075be3c054e5233992e1c74b5d774e0e4f81a5b08494274bf71af2e
-
Filesize
211KB
MD57399365c217819b86b7eaa6a5f283cd0
SHA199a0b753c4d5ec07c6771445ed0ac76fd53906e9
SHA2569a620f754391ab893285c1b6f2ccd80551608da85cd319627398e2c0e296adf5
SHA512abee12c63444c453b759c597016b174601ce4ea80cddfca8731b1d7a4a12f9e0f02323c28bed0acee3bc32b9217bb0ef0b5acee7ef272609eff9609abb7323a4
-
Filesize
211KB
MD51f32dbbf091651b3c357dfd88fa228e2
SHA16d30ef9eee3e8708d8fda2d4f40d87ceac05739e
SHA256660dea3a2c1925eef7a9e7882a2de3aca0a56c843e75fda5f644cd9a5c60b0f5
SHA51236cc1bf5b85d5e1c1fa90fb8c9becac22f4baab864016cfc96685afd5c548e04d579c8a39b2572deba24225763ab2b43e36252aadb8832fe31d54b7a87f9735e
-
Filesize
211KB
MD5c0098356e98ab3681b66102567bdc4bd
SHA112f6ff757a1ea1de06de0fdda0fc50660211e495
SHA256a7da676df7732697313594dac461ddd4bebb8940129a0f8b078dcefd3b485f79
SHA51211106e9116d48c56ec7234d427f9c4af004061aba449ec221d155b9d5b133e17232fa8ee8075be3c054e5233992e1c74b5d774e0e4f81a5b08494274bf71af2e