Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 16:48
Static task
static1
Behavioral task
behavioral1
Sample
06914834645d9ab3058300de4c756954.exe
Resource
win7-20231215-en
General
-
Target
06914834645d9ab3058300de4c756954.exe
-
Size
410KB
-
MD5
06914834645d9ab3058300de4c756954
-
SHA1
437546390ab6be7ab887e82148ba8b923bedd844
-
SHA256
50c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67
-
SHA512
08869a715d99a8034ee9e473c0c56f8fa4d35afbb67467a4d27ffd9d34f7d32f87a2b1f1141657ce7de27888fdca477af3d4756d6e5799d5dd27b5acbe2ff953
-
SSDEEP
12288:3w06cUYTczdkibnD3WUgFooE3cVkO3rHGa6vSoW1:7TUHkibDGencVnHq6f
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2312 explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe -
Loads dropped DLL 5 IoCs
pid Process 2024 06914834645d9ab3058300de4c756954.exe 2024 06914834645d9ab3058300de4c756954.exe 2312 explorer.exe 2664 lsn.exe 2664 lsn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\lsn.exe" lsn.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2312 set thread context of 2704 2312 explorer.exe 29 PID 2568 set thread context of 596 2568 spolsv.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2312 explorer.exe 2664 lsn.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2312 explorer.exe 2568 spolsv.exe 2664 lsn.exe 2312 explorer.exe 2568 spolsv.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2312 explorer.exe 2568 spolsv.exe 2664 lsn.exe 2312 explorer.exe 2568 spolsv.exe 2664 lsn.exe 2312 explorer.exe 2568 spolsv.exe 2664 lsn.exe 2312 explorer.exe 2568 spolsv.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe 2568 spolsv.exe 2312 explorer.exe 2664 lsn.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2024 06914834645d9ab3058300de4c756954.exe Token: SeDebugPrivilege 2312 explorer.exe Token: SeDebugPrivilege 2664 lsn.exe Token: SeDebugPrivilege 2568 spolsv.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2312 2024 06914834645d9ab3058300de4c756954.exe 28 PID 2024 wrote to memory of 2312 2024 06914834645d9ab3058300de4c756954.exe 28 PID 2024 wrote to memory of 2312 2024 06914834645d9ab3058300de4c756954.exe 28 PID 2024 wrote to memory of 2312 2024 06914834645d9ab3058300de4c756954.exe 28 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2704 2312 explorer.exe 29 PID 2312 wrote to memory of 2664 2312 explorer.exe 30 PID 2312 wrote to memory of 2664 2312 explorer.exe 30 PID 2312 wrote to memory of 2664 2312 explorer.exe 30 PID 2312 wrote to memory of 2664 2312 explorer.exe 30 PID 2664 wrote to memory of 2568 2664 lsn.exe 31 PID 2664 wrote to memory of 2568 2664 lsn.exe 31 PID 2664 wrote to memory of 2568 2664 lsn.exe 31 PID 2664 wrote to memory of 2568 2664 lsn.exe 31 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32 PID 2568 wrote to memory of 596 2568 spolsv.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"C:\Users\Admin\AppData\Local\Temp\06914834645d9ab3058300de4c756954.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\System\lsn.exe"C:\Users\Admin\AppData\Local\Temp\System\lsn.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"C:\Users\Admin\AppData\Local\Temp\System\spolsv.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵PID:596
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70B
MD5673c630c339470fb63850411fc5af025
SHA1938da03d56e1c206abc0fb7d729855a0a877a103
SHA25664b7ba818f2ac7e79037f57649b441d293bde5e213eae6289e1d16b753ecae70
SHA5128f51561e75a5acc3bff8a8006fc0934b55884255b4ffd6a43b028f4d1379f74694464a614da94195b3a240abf1756a83cdb399efcef209b75ee37789743a0713
-
Filesize
410KB
MD506914834645d9ab3058300de4c756954
SHA1437546390ab6be7ab887e82148ba8b923bedd844
SHA25650c6eeab65b9c35d55dde8ba5cca1eaba4091d0a5611a353f9561e3e37453e67
SHA51208869a715d99a8034ee9e473c0c56f8fa4d35afbb67467a4d27ffd9d34f7d32f87a2b1f1141657ce7de27888fdca477af3d4756d6e5799d5dd27b5acbe2ff953
-
Filesize
24KB
MD50aa7e4dd12b1fc4d899bb86b0fd56233
SHA13bbd901ecc48959847deb145da3f3af6dc194afd
SHA256d1267fc8e53b1cb8cda98eec93daf21ded66ba6ac9c05b0b7315444d459384e9
SHA5122f2cd1892ab79a9dba46d1c1d848cd85ec876968b07316ccbda275b88960dc1718da7e4d433c88d0a52d2637bb5c99eda1135529f956e4a54c14f09bbc3f8e11
-
Filesize
256KB
MD5e700070748fcbe30d4e9d3ed51273f9d
SHA1dfe8247dab82b1a2c765193bfde8702cc3f7f0e2
SHA25642dc0bbfbff3c9af5192e22386e0e1ab2a5a4bea3c5cba0787405b81935778b5
SHA512fd77e6d4283534fa34f72306caa75675d328271d018a6ea7d7a1d7c85b0af6cb9d8cdb0c51f2f668226ab2f09852f87cbede049e8b1b52c47d97de6978a41753