Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 15:19
Static task
static1
Behavioral task
behavioral1
Sample
03785c361c90be52900c5136081911e6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
03785c361c90be52900c5136081911e6.exe
Resource
win10v2004-20231215-en
General
-
Target
03785c361c90be52900c5136081911e6.exe
-
Size
249KB
-
MD5
03785c361c90be52900c5136081911e6
-
SHA1
c44b7caedf38bcabb8813f8a7f2720782c66e161
-
SHA256
6dbbe86be4a70e91a8b8f1e21202b6e733dec8d35f535cd81643fcd02e8e263b
-
SHA512
dbf4bb452dd50f6743edad031be99f47f003c6bebbd675c656ab6836f9b064d68599d64d70aa4d08ecff39416d4b274deca952fb8eaf9ff5550a67ba3bd02a84
-
SSDEEP
3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQSq54p1YYhD/6KgXz:gDCwfG1bnxLERRLT3YYhLrgXz
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 03785c361c90be52900c5136081911e6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 03785c361c90be52900c5136081911e6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DJLAPDMX = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DJLAPDMX = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DJLAPDMX = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 2140 avscan.exe 2836 avscan.exe 2580 hosts.exe 2400 avscan.exe 2776 hosts.exe 2240 hosts.exe -
Loads dropped DLL 5 IoCs
pid Process 2064 03785c361c90be52900c5136081911e6.exe 2064 03785c361c90be52900c5136081911e6.exe 2140 avscan.exe 2580 hosts.exe 2580 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 03785c361c90be52900c5136081911e6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created \??\c:\windows\W_X_C.bat 03785c361c90be52900c5136081911e6.exe File opened for modification C:\Windows\hosts.exe 03785c361c90be52900c5136081911e6.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe File created C:\windows\W_X_C.vbs 03785c361c90be52900c5136081911e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 9 IoCs
pid Process 1976 REG.exe 2368 REG.exe 1764 REG.exe 2312 REG.exe 2264 REG.exe 1564 REG.exe 1816 REG.exe 2548 REG.exe 1224 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2140 avscan.exe 2580 hosts.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2064 03785c361c90be52900c5136081911e6.exe 2140 avscan.exe 2580 hosts.exe 2400 avscan.exe 2776 hosts.exe 2240 hosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2548 2064 03785c361c90be52900c5136081911e6.exe 28 PID 2064 wrote to memory of 2548 2064 03785c361c90be52900c5136081911e6.exe 28 PID 2064 wrote to memory of 2548 2064 03785c361c90be52900c5136081911e6.exe 28 PID 2064 wrote to memory of 2548 2064 03785c361c90be52900c5136081911e6.exe 28 PID 2064 wrote to memory of 2140 2064 03785c361c90be52900c5136081911e6.exe 30 PID 2064 wrote to memory of 2140 2064 03785c361c90be52900c5136081911e6.exe 30 PID 2064 wrote to memory of 2140 2064 03785c361c90be52900c5136081911e6.exe 30 PID 2064 wrote to memory of 2140 2064 03785c361c90be52900c5136081911e6.exe 30 PID 2140 wrote to memory of 2836 2140 avscan.exe 31 PID 2140 wrote to memory of 2836 2140 avscan.exe 31 PID 2140 wrote to memory of 2836 2140 avscan.exe 31 PID 2140 wrote to memory of 2836 2140 avscan.exe 31 PID 2064 wrote to memory of 2804 2064 03785c361c90be52900c5136081911e6.exe 32 PID 2064 wrote to memory of 2804 2064 03785c361c90be52900c5136081911e6.exe 32 PID 2064 wrote to memory of 2804 2064 03785c361c90be52900c5136081911e6.exe 32 PID 2064 wrote to memory of 2804 2064 03785c361c90be52900c5136081911e6.exe 32 PID 2804 wrote to memory of 2580 2804 cmd.exe 35 PID 2804 wrote to memory of 2580 2804 cmd.exe 35 PID 2804 wrote to memory of 2580 2804 cmd.exe 35 PID 2804 wrote to memory of 2580 2804 cmd.exe 35 PID 2140 wrote to memory of 2608 2140 avscan.exe 34 PID 2140 wrote to memory of 2608 2140 avscan.exe 34 PID 2140 wrote to memory of 2608 2140 avscan.exe 34 PID 2140 wrote to memory of 2608 2140 avscan.exe 34 PID 2608 wrote to memory of 2776 2608 cmd.exe 38 PID 2608 wrote to memory of 2776 2608 cmd.exe 38 PID 2608 wrote to memory of 2776 2608 cmd.exe 38 PID 2608 wrote to memory of 2776 2608 cmd.exe 38 PID 2580 wrote to memory of 2400 2580 hosts.exe 37 PID 2580 wrote to memory of 2400 2580 hosts.exe 37 PID 2580 wrote to memory of 2400 2580 hosts.exe 37 PID 2580 wrote to memory of 2400 2580 hosts.exe 37 PID 2804 wrote to memory of 2936 2804 cmd.exe 39 PID 2804 wrote to memory of 2936 2804 cmd.exe 39 PID 2804 wrote to memory of 2936 2804 cmd.exe 39 PID 2804 wrote to memory of 2936 2804 cmd.exe 39 PID 2608 wrote to memory of 2644 2608 cmd.exe 40 PID 2608 wrote to memory of 2644 2608 cmd.exe 40 PID 2608 wrote to memory of 2644 2608 cmd.exe 40 PID 2608 wrote to memory of 2644 2608 cmd.exe 40 PID 2580 wrote to memory of 1080 2580 hosts.exe 41 PID 2580 wrote to memory of 1080 2580 hosts.exe 41 PID 2580 wrote to memory of 1080 2580 hosts.exe 41 PID 2580 wrote to memory of 1080 2580 hosts.exe 41 PID 1080 wrote to memory of 2240 1080 cmd.exe 43 PID 1080 wrote to memory of 2240 1080 cmd.exe 43 PID 1080 wrote to memory of 2240 1080 cmd.exe 43 PID 1080 wrote to memory of 2240 1080 cmd.exe 43 PID 1080 wrote to memory of 484 1080 cmd.exe 44 PID 1080 wrote to memory of 484 1080 cmd.exe 44 PID 1080 wrote to memory of 484 1080 cmd.exe 44 PID 1080 wrote to memory of 484 1080 cmd.exe 44 PID 2140 wrote to memory of 1224 2140 avscan.exe 47 PID 2140 wrote to memory of 1224 2140 avscan.exe 47 PID 2140 wrote to memory of 1224 2140 avscan.exe 47 PID 2140 wrote to memory of 1224 2140 avscan.exe 47 PID 2580 wrote to memory of 1764 2580 hosts.exe 49 PID 2580 wrote to memory of 1764 2580 hosts.exe 49 PID 2580 wrote to memory of 1764 2580 hosts.exe 49 PID 2580 wrote to memory of 1764 2580 hosts.exe 49 PID 2140 wrote to memory of 2264 2140 avscan.exe 51 PID 2140 wrote to memory of 2264 2140 avscan.exe 51 PID 2140 wrote to memory of 2264 2140 avscan.exe 51 PID 2140 wrote to memory of 2264 2140 avscan.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\03785c361c90be52900c5136081911e6.exe"C:\Users\Admin\AppData\Local\Temp\03785c361c90be52900c5136081911e6.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
PID:2836
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:2644
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1224
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2264
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1564
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat4⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\windows\hosts.exeC:\windows\hosts.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"5⤵
- Adds policy Run key to start application
PID:484
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:1764
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:2312
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:1816
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:2368
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:2936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5e481594d5dc008525a424d94442b99b8
SHA1f83a63bd6d3d5dff5dffe5fec97e4c4280163189
SHA256a5ffa38752f3ab799f7a769fca635d9784a6f1b58a183e58aaa0acc6b3d210c4
SHA51243c6f21b253de549c3ac1415af03feb3b35a087c1e0c0c572281df48c9ffac9d740fe8ad44f6b3738cda540047282faeb2c3876c68165a132105c775c3919f21
-
Filesize
797KB
MD56ef769bbe12775b035b51344f71c4721
SHA155b990a6d65a7c765ccf84a7bdd9c6efc8847bc7
SHA256ad53cea4576b3668dbaf11978c2fe5210b7f6a67810832ee4303c625060f486e
SHA5125f70b006c95120ca0c82343d44d7a370ee9b24420a14670dfd888811bfbffb8d8064aa5155dc7c89434c71a064fdc7380e9b138d8ece567349722238384359b8
-
Filesize
1.0MB
MD58879d59b94344a79644e2602a8bf1569
SHA114b64c29314285cba1b179684326b2792789b239
SHA2564a8c60f264eb418f67f682301df9f13db3f2415b94c860a2805559d249f471fa
SHA512e293a472dd6dfa18fa34e2ccc43cb2d6b0b74152a5c4d2a1a25923730170f952018422f8435d2ced4ac64c669c0a47b4e75058a4fcc550ac004170d13de75076
-
Filesize
1.3MB
MD547d9a0501be64d936d498f129f198179
SHA1d09956f920c6e4d65e2dcaed6db3d3a7a1729f89
SHA2565c5e3c6ac3a03e81ff233aff377d8fda5b978e91bdc94dbdb8b28907e9ce934c
SHA512bb5336742da2826272bf5a9e07cba215cd582dd5eae5a58aa6d8bcab02229a2b6e8f249a95d372df0e1d55119f3b191c75375cf484df7fe5527c6b032f151719
-
Filesize
1.5MB
MD5a6c9601580043ded493dc0e6817d0819
SHA14f1971d7ec128a90ebf0299fd27dae3256626077
SHA256bb2e95e9bc7c7dee9ac4ee22250fc63cb31ad779671f49ccf4928feca9f69891
SHA512ac05cfc6c5e09e978ae04448be0ee5a625066e383ad795dfa2011a4e0839d67be36bb1bc565bcf4ffa008315bd34440616d4143871cdffb20308290ad3998c48
-
Filesize
1.8MB
MD550670a1fc27c6ac715ee663219057445
SHA10025f6fb89c429d5c78b3bb779dddb87f8587ae8
SHA25647466cac2f1b91a946d8da22aa82c976ef89b4388b0f2098d637dd4a4678ebe2
SHA5124e83ab3d19ff15f1cb087c3e5ab5fa5e6ed725153e5688d13b5a28a4f58dca106f22e34810f8f99101e03ed8047ec8e6990cd84495df4cc343beb211084f38ba
-
Filesize
2.0MB
MD5fc6901d571009c228467b436e0fa39fc
SHA18ccff1d5d23400825b5795ac2819859ac4d98689
SHA2560ecb5bb5b1b64f364b7c4a7653bca6af6b3045fa731a6ac2745571f699b16956
SHA512a2444f054ddb3fb7cf7573e590b677ce8d774370c8f54f9fae0aa033ddb79bbbe71e7519015ec0a8bb6dec6c4cc74f0164df5d9d467d4ba27b3f6e78d800a147
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b
-
Filesize
195B
MD522f1fd14fe325764dab227173a9f41dd
SHA1c261874cfc4188ca7143ab388abd013c75ee025a
SHA25602c1c47b6a5a4d22b04d36f9f34e3f2f0a1c3153512f8e7aa115c4f60fe7f1ae
SHA5121522c988877c80f38833b8fac45ed36850be2eeb6c9d06d00a4baa67c7f85157dd11553ff82ee4cdf38172cffee841e30ca6c93d090bf608b060222549646ed9
-
Filesize
249KB
MD5f5a162d0a8f97fe703169e8f4721f87a
SHA1968be97c92f7dfdfd855b1231647a3979a438c8b
SHA256ffc5ceac8f1fbdb224b91b33d536b78aaa4afd8725ffc622950db368059babdf
SHA512331b3eb4fdbb98afc1e8e52cc0d8f9ad77d8d2b524a00aa20b3a731e0a9b684046a8752ac1aeaa7348813a334891af65af30ffe850710d6db8bb69ad7bd71ea6
-
Filesize
249KB
MD5206f5c6a44a62e3bd068cebf0ecf4b86
SHA1b75942123859f310e27d35ad7ca8b8e3461072e5
SHA256670b2dc3bbf345c068f6b784c6ef1706d6b758a68d9440750a143b029a5c467e
SHA51256154ce7ef9ea668c833d893a7213101f25f3d3ca5e8d6bd26157bbdf10015e00c9076333d476b8c79fe24268d86a3fe8bb8a80f5d01743b9ac5a4fe514dbb77