Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
24s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
0cf49225491f58b3d64f4da7bd304e3e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0cf49225491f58b3d64f4da7bd304e3e.exe
Resource
win10v2004-20231215-en
General
-
Target
0cf49225491f58b3d64f4da7bd304e3e.exe
-
Size
285KB
-
MD5
0cf49225491f58b3d64f4da7bd304e3e
-
SHA1
bfa01952f5c3cae91f0222e4a5d894b6c37dedfd
-
SHA256
298c67b45d460f8cfa0d054d7be4317d2a81bd79f654dd744466a73505ad8e9d
-
SHA512
0a69aa5dc3defa00cdceafbe0ac92ad1f2b3e278fc06bc596d4d38a08e5175c92e25d00baf609b7481f6d7cc69cb180113bacf5531fe836da766d1517fdf7999
-
SSDEEP
6144:O9j17jjCWXkANmZGceQhAmrf+jTCWdCJqv8+nY:aBjCekoD5QmIaTCWYJqv8+nY
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 0cf49225491f58b3d64f4da7bd304e3e.exe -
Disables taskbar notifications via registry modification
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2228-1-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2228-54-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1528-56-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2228-156-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/568-206-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2228-209-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2228-326-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2228-329-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\156.exe = "C:\\Program Files (x86)\\LP\\62C3\\156.exe" 0cf49225491f58b3d64f4da7bd304e3e.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\LP\62C3\156.exe 0cf49225491f58b3d64f4da7bd304e3e.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 2228 0cf49225491f58b3d64f4da7bd304e3e.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3016 msiexec.exe Token: SeTakeOwnershipPrivilege 3016 msiexec.exe Token: SeSecurityPrivilege 3016 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2228 wrote to memory of 1528 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 31 PID 2228 wrote to memory of 1528 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 31 PID 2228 wrote to memory of 1528 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 31 PID 2228 wrote to memory of 1528 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 31 PID 2228 wrote to memory of 568 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 32 PID 2228 wrote to memory of 568 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 32 PID 2228 wrote to memory of 568 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 32 PID 2228 wrote to memory of 568 2228 0cf49225491f58b3d64f4da7bd304e3e.exe 32 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 0cf49225491f58b3d64f4da7bd304e3e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 0cf49225491f58b3d64f4da7bd304e3e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe"C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe"1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exeC:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe startC:\Users\Admin\AppData\Roaming\3F3C2\87562.exe%C:\Users\Admin\AppData\Roaming\3F3C22⤵PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exeC:\Users\Admin\AppData\Local\Temp\0cf49225491f58b3d64f4da7bd304e3e.exe startC:\Program Files (x86)\C2379\lvvm.exe%C:\Program Files (x86)\C23792⤵PID:568
-
-
C:\Program Files (x86)\LP\62C3\9B84.tmp"C:\Program Files (x86)\LP\62C3\9B84.tmp"2⤵PID:892
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1064
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD57115b394ba60e2086933c2a12137f642
SHA1c9f986296271fb4170dd14f2f069f7ede7181dfa
SHA2560956015d9a9587b83f7b23eef32ba45e31ab94461d89a14c56374401adafd1ec
SHA512910723567b91071685422b3e4540df19150665a89b0c03cfd70fee68ffc3ccf1023497e109219ad0b72a7c57ac1157c3690ec99354e1364be9713ee6d12da4d4
-
Filesize
600B
MD5b02cf7621a05ffa7e90f11d33318b561
SHA17d8253f43ae6974441b74be483f7a73606163686
SHA256060a57f372097eaa97f88914f83a19eb760835a1d3f06a7b470dc314edb04552
SHA5128fc5f67fb3f13674f9792c66af612b8d1c454794e6db87b012965ccf18737ec5e159d767dd5199b31083dff5c018b48856e9cc10892a551288ddedb063ec89a5
-
Filesize
300B
MD5b98b5bef59efb0d850427037873bff55
SHA13fbf7fd686e32a98dd64e0cbf87f8611dd6cfc93
SHA25656e655f475704c5b30377c86a7dd970f1e40bd3dbc7853a7edaffc649fa622be
SHA512b5a10af448c8bcaec706fd0dd9d3a0e61449371decc53015ec6a0ca7cf02e013cecda08bebb63ca3b44472b177ecef788dee93004cbbf588bb8c03437dd7b298
-
Filesize
29KB
MD55df47cba4168b5888af6571c03473233
SHA1eb713d0eb05ee32639ae72a1ebcba540b539894b
SHA2566af89715a96dddb4f6857a67c2d86b1ebeaf21a9751926bb1baef0fbfcd205ad
SHA512a3bdd620b79dabcf6b4f1d6a50ae20e9c8b294b9b16e219f567560d45309d72df724be42eb839d9a292e57867a055dc6cb7196ea858a2b5a644688bcb17bd4a8
-
Filesize
12KB
MD56ae09e3ec949ecda131b15d596f8c28b
SHA11452a56c96c94cd2f0d9174b8f680521040f2c7a
SHA2566353731d7986899da04ec611f542ea7b1dc4c4ed16110b977580ee376873214d
SHA51275c4caac36f4ea2f146e3b7fa3036e93d3db33960678d127ecb9e9cf3bfac1f7dd1d1210f3fd6fe08114c7e326c945faf66c2e2928947879bfcf5b8d0beaf81f