Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 20:43
Static task
static1
Behavioral task
behavioral1
Sample
11a73e92abda63441b770d350c5b1607.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
11a73e92abda63441b770d350c5b1607.exe
Resource
win10v2004-20231222-en
General
-
Target
11a73e92abda63441b770d350c5b1607.exe
-
Size
58KB
-
MD5
11a73e92abda63441b770d350c5b1607
-
SHA1
e7cf35bac96dabf03894283c73ea96872597f7b1
-
SHA256
cab4edff3dfee7b58936f9e01a1d06ab944b58bdc9a6442cff6f2625267d3817
-
SHA512
4d85ddb115a99802c0ca04d6077f59d6810caf466c941af76cd4cd48c0608555f76dc5ff8cc38e3013b1ac197d28c320c014641b0db80999b19bb29c8de38cf7
-
SSDEEP
1536:dhk+fFlM3uFqYZdQjxBP52N4yJIbYEp3qMtjqMqMjqMqlqMn:dJMaZdo2NjJAYEpG
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2512 11a73e92abda63441b770d350c5b1607.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winuzc32.rom,bqbtSCdh" 11a73e92abda63441b770d350c5b1607.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\winuzc32.rom 11a73e92abda63441b770d350c5b1607.exe File opened for modification C:\Windows\SysWOW64\winuzc32.rom 11a73e92abda63441b770d350c5b1607.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2208 2512 WerFault.exe 18 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{49766981-A2C8-11EE-B273-4AE60EE50717} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409631044" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2848 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2848 iexplore.exe 2848 iexplore.exe 2604 IEXPLORE.EXE 2604 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2396 2512 11a73e92abda63441b770d350c5b1607.exe 28 PID 2512 wrote to memory of 2396 2512 11a73e92abda63441b770d350c5b1607.exe 28 PID 2512 wrote to memory of 2396 2512 11a73e92abda63441b770d350c5b1607.exe 28 PID 2512 wrote to memory of 2396 2512 11a73e92abda63441b770d350c5b1607.exe 28 PID 2396 wrote to memory of 2848 2396 cmd.exe 30 PID 2396 wrote to memory of 2848 2396 cmd.exe 30 PID 2396 wrote to memory of 2848 2396 cmd.exe 30 PID 2396 wrote to memory of 2848 2396 cmd.exe 30 PID 2848 wrote to memory of 2604 2848 iexplore.exe 31 PID 2848 wrote to memory of 2604 2848 iexplore.exe 31 PID 2848 wrote to memory of 2604 2848 iexplore.exe 31 PID 2848 wrote to memory of 2604 2848 iexplore.exe 31 PID 2512 wrote to memory of 2848 2512 11a73e92abda63441b770d350c5b1607.exe 30 PID 2512 wrote to memory of 2848 2512 11a73e92abda63441b770d350c5b1607.exe 30 PID 2512 wrote to memory of 1224 2512 11a73e92abda63441b770d350c5b1607.exe 5 PID 2512 wrote to memory of 1224 2512 11a73e92abda63441b770d350c5b1607.exe 5 PID 2512 wrote to memory of 300 2512 11a73e92abda63441b770d350c5b1607.exe 32 PID 2512 wrote to memory of 300 2512 11a73e92abda63441b770d350c5b1607.exe 32 PID 2512 wrote to memory of 300 2512 11a73e92abda63441b770d350c5b1607.exe 32 PID 2512 wrote to memory of 300 2512 11a73e92abda63441b770d350c5b1607.exe 32 PID 2512 wrote to memory of 2208 2512 11a73e92abda63441b770d350c5b1607.exe 34 PID 2512 wrote to memory of 2208 2512 11a73e92abda63441b770d350c5b1607.exe 34 PID 2512 wrote to memory of 2208 2512 11a73e92abda63441b770d350c5b1607.exe 34 PID 2512 wrote to memory of 2208 2512 11a73e92abda63441b770d350c5b1607.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\11a73e92abda63441b770d350c5b1607.exe"C:\Users\Admin\AppData\Local\Temp\11a73e92abda63441b770d350c5b1607.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\cmd.execmd /c start iexplore -embedding3⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -embedding4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\fig580F.bat"3⤵PID:300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1403⤵
- Program crash
PID:2208
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ea8e175ac0a7a6b470e3946f6e7ae75d
SHA199f7038c572677b7ce2c8af46e05928f6423311f
SHA2562faa569880b780418399be797a93b70a3c53ad7ca6f273515085779efeff25a2
SHA512a8a9b6cefd52a32683dd4adf930d7d39298bb8003ba4da498adb4d91962c295f17f8c1fa4ed6dfaeffad0290abe1f09941adddacce439d871f29cf815ef0b607
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD583cb755dc0c57519d4b1ba7e03499837
SHA1272baee928fa8d73b7a2b420e4c8c4514d201345
SHA256f889e469c7bf87ca0dacdb4d93ce812c3a6412baf1b28fb7d7ac0c8b83833423
SHA5125602af678f30399ab39abfdb8f750b545986c9bd3acc0d5964fcdc0d915731418803521730e552917ba140e012a6008866fa805a418b7469b5dd6d301e117ac7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53a9cd3d8f56639efc07de8d0988a83f1
SHA1d381fa98b4344b01bc3d90b91acc8c68eab04f72
SHA25653c3f340491ae8121213c01db2e1d29617ae552b3e6d4a9e55d1a664dd1d79cc
SHA5128758a35f11eedd9d8ed89b59f5119f3cd37017c5e200a137394a87f238d8ffc4e1a9e8fe879b956068ff80164cc6a2917e48f1cd0e618a96264fe3338b88114e
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
188B
MD59d19473bde8f563a4f485a43d1abbd53
SHA1979b594c01890d30bc75b2765547b4eb4c38fb55
SHA256de095e71896611d324ad2070483e3a591259bb2ccf4425921c9dc01fd0ee821d
SHA512d6de9486b6383224727b67129c025594524ed4a69b494648532d46c20ab0e1c7c6d8ad831e20b219fe106cb8ddb85448e8433652bb1a6d195fb28c610ba5f81a
-
Filesize
39KB
MD5266b0eb83dde2f8121a7e0b26e3014b7
SHA1e9af9e74322baa87198c10dd5cd2c671cd976742
SHA25685810cf5d4b07c1cc7904843ec7a128653813ad07c936291b9ef7afe0bc6575e
SHA512468401c7ef8e8025bdb1ec025fe0e43e861f6795f72d83e29fa4c9b8795c6b01508daa4410d28f2e32a588e46f71f67492dba9b7ebe707004c0288227788e2a5