Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 18:01
Static task
static1
Behavioral task
behavioral1
Sample
0a37ecfea5074fff2de431e643e74af0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0a37ecfea5074fff2de431e643e74af0.exe
Resource
win10v2004-20231215-en
General
-
Target
0a37ecfea5074fff2de431e643e74af0.exe
-
Size
693KB
-
MD5
0a37ecfea5074fff2de431e643e74af0
-
SHA1
4ff3dfa39ae7fd46772c30ff547ed935e134396f
-
SHA256
114ad38ef50939dbc71a24923dff65aad0167b7679805d3c3a5a2fd4b6925247
-
SHA512
7ee5854e7e3cebf76de910b47f427095c420cd27c227d74cd0c62e44f2adfc429c1abb02391cc7ca15df28a99ce471c4912d4a41fc43e234d78029f330f3c33f
-
SSDEEP
12288:tSIzbMSwyUI2buNNqwfVsQV2wWU4dh2hPnmrTVr5i38VeUbBxjv:tSibMSws2SqwGuZUgz3kXjv
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2492 0a37ecfea5074fff2de431e643e74af0.exe 2036 0a37ecfea5074fff2de431e643e74af0.exe 1944 0a37ecfea5074fff2de431e643e74af0.exe -
Loads dropped DLL 3 IoCs
pid Process 1648 0a37ecfea5074fff2de431e643e74af0.exe 1648 0a37ecfea5074fff2de431e643e74af0.exe 1648 0a37ecfea5074fff2de431e643e74af0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\Sample.lnk" 0a37ecfea5074fff2de431e643e74af0.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1648 set thread context of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1648 0a37ecfea5074fff2de431e643e74af0.exe 1648 0a37ecfea5074fff2de431e643e74af0.exe 1648 0a37ecfea5074fff2de431e643e74af0.exe 1648 0a37ecfea5074fff2de431e643e74af0.exe 1648 0a37ecfea5074fff2de431e643e74af0.exe 1648 0a37ecfea5074fff2de431e643e74af0.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1944 0a37ecfea5074fff2de431e643e74af0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1648 0a37ecfea5074fff2de431e643e74af0.exe Token: SeDebugPrivilege 1944 0a37ecfea5074fff2de431e643e74af0.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2628 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1944 0a37ecfea5074fff2de431e643e74af0.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2976 1648 0a37ecfea5074fff2de431e643e74af0.exe 28 PID 1648 wrote to memory of 2976 1648 0a37ecfea5074fff2de431e643e74af0.exe 28 PID 1648 wrote to memory of 2976 1648 0a37ecfea5074fff2de431e643e74af0.exe 28 PID 1648 wrote to memory of 2976 1648 0a37ecfea5074fff2de431e643e74af0.exe 28 PID 1648 wrote to memory of 2320 1648 0a37ecfea5074fff2de431e643e74af0.exe 30 PID 1648 wrote to memory of 2320 1648 0a37ecfea5074fff2de431e643e74af0.exe 30 PID 1648 wrote to memory of 2320 1648 0a37ecfea5074fff2de431e643e74af0.exe 30 PID 1648 wrote to memory of 2320 1648 0a37ecfea5074fff2de431e643e74af0.exe 30 PID 1648 wrote to memory of 2492 1648 0a37ecfea5074fff2de431e643e74af0.exe 33 PID 1648 wrote to memory of 2492 1648 0a37ecfea5074fff2de431e643e74af0.exe 33 PID 1648 wrote to memory of 2492 1648 0a37ecfea5074fff2de431e643e74af0.exe 33 PID 1648 wrote to memory of 2492 1648 0a37ecfea5074fff2de431e643e74af0.exe 33 PID 1648 wrote to memory of 2036 1648 0a37ecfea5074fff2de431e643e74af0.exe 34 PID 1648 wrote to memory of 2036 1648 0a37ecfea5074fff2de431e643e74af0.exe 34 PID 1648 wrote to memory of 2036 1648 0a37ecfea5074fff2de431e643e74af0.exe 34 PID 1648 wrote to memory of 2036 1648 0a37ecfea5074fff2de431e643e74af0.exe 34 PID 1648 wrote to memory of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35 PID 1648 wrote to memory of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35 PID 1648 wrote to memory of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35 PID 1648 wrote to memory of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35 PID 1648 wrote to memory of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35 PID 1648 wrote to memory of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35 PID 1648 wrote to memory of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35 PID 1648 wrote to memory of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35 PID 1648 wrote to memory of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35 PID 1648 wrote to memory of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35 PID 1648 wrote to memory of 1944 1648 0a37ecfea5074fff2de431e643e74af0.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\CMD.exe"CMD"2⤵PID:2976
-
-
C:\Windows\SysWOW64\CMD.exe"CMD"2⤵PID:2320
-
-
C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"2⤵
- Executes dropped EXE
PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"2⤵
- Executes dropped EXE
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ab8875048b2c6353971789955e85bcea
SHA19743b4b6e900a8560d53a6829eb768d39858eea2
SHA25644ebe65b38bfc066b8f18f062e79396915fc77d38e8695d4851e4fd50095477e
SHA512dbd2bc003dee6a9be5ff538ee4c3f3c2af28e73ed26128cfa519f0937d6833a880e03f6363443e3ca7835c53abcac7fde91f4e48b76a13e136215768e2a31d8f
-
Filesize
177KB
MD5d3c32556686197f92029b73f8593b042
SHA1a52a6d258d17047a471af0632324d03c6041373a
SHA256ac3ea94fad834c8d0d3cb90e736ef8d6ec295e89cbe2d54aaa75d6eb009a536e
SHA512c76a0e60274acbed1d2955d5d829c0257e001ad8df32c5b49d3c929b51fafabdbd18af4652f9229f948b01c7c9ca34a8b6f6d990d594ac6f285c744ba8311338
-
Filesize
122KB
MD542988b1d164a67de5f99ba9a3955230d
SHA1a15a43f3a7afc30f1950877d551deef21ca17969
SHA25645b8c7e5844d39815a8a2427fa3c2dd0a8bd04896338cf4bdbcc8887f3415be6
SHA5123cc27981b8f0ff1be44c5c7ebbce24b295dffe7d87a02dfecb54132483a19528d787e4901e00c20b627175cb86b5c4aa37bc81f37b7174fec25f1f1a135136fa
-
Filesize
90KB
MD5bc706401d7e46030b8925c3862c9a3bb
SHA16e3ce8f731128f3f04b578206b5566fdf1897fc7
SHA256368e0a1c922b21981735a170a90640ca8f8628401c53c0c483e7262e68ce3f0e
SHA5122a4d1af3879b068a4901805cdede5912eda02f2887a5f0b581608545ba3e2d7db74135e3778a7847007f44afb032365c0f420063ccff90f67b64ea37e79b296b
-
Filesize
14KB
MD51062a8b443c9e52249c0483399753c22
SHA1a83e07abeaeb0c4eec045ba4ad7cda8922195b5a
SHA256fefc9277505b308bb9eb4678c4bc2c1ac01ca3151381356b3dbbf967f1d63eb8
SHA512be399c5f201c66d380ea82c12d435975b4d09af9fc1618ec8ee8b2e1d53a835611f4a41f96c65323c8c3561612e438c9da8eeb545044e99bc9322ef88c80661a
-
Filesize
18KB
MD580fb8abb9c3accd6a5040f9d35c4cfba
SHA1856cf9162631fb5b1c3118560b0d20340d95d4a0
SHA2566a81e3a9a8591ac8b6db2636cd0a130b033212848a6118b0217b4e8f1d6d6cee
SHA512d962aaf75641d936da2d532479434ad6452a688859cd38000af51aad72e4a08d4b0c9d618e2ba38aef4316957d47a51049abe988f10f8c077d8de74f2bd39ec8
-
Filesize
693KB
MD50a37ecfea5074fff2de431e643e74af0
SHA14ff3dfa39ae7fd46772c30ff547ed935e134396f
SHA256114ad38ef50939dbc71a24923dff65aad0167b7679805d3c3a5a2fd4b6925247
SHA5127ee5854e7e3cebf76de910b47f427095c420cd27c227d74cd0c62e44f2adfc429c1abb02391cc7ca15df28a99ce471c4912d4a41fc43e234d78029f330f3c33f
-
Filesize
192KB
MD5c1e05afc3b2c20e1e1085cf95879e01d
SHA141ff52fa19c454f1711465471e18df253e79a2fa
SHA256b172e6597b9f2f34a3f72f4efde6b824342f75bb8be50e41e57602e681518bd0
SHA512bb782a543c93aebef51c32460b7a92449367785c3047e0a399d161337d0d8c31f3d000b66ce2e53d7ebb6952b6795a0bc2ec7c7198a001964142bd74c51a3897
-
Filesize
100KB
MD59ed3cbc43c492c4014472b23f67a9738
SHA19f8baf23d141183a78f488d986836db93e75925a
SHA256f74b868a3e3c474fe882e44b284178fdd9cb786546029306821baf8165b7f045
SHA51215a42cb5c4aca0569f5c2ede1005c49b52cbc3f485e4b98dad164180e870d4a9a118f7c2a9ca8a3cfa9bfcc4015055a1cb0148e1f69240345e898a29235f5ddb