Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
41s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 21:29
Static task
static1
Behavioral task
behavioral1
Sample
3d7eee4357792eacc3168412c01963f0.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3d7eee4357792eacc3168412c01963f0.exe
Resource
win10v2004-20231222-en
General
-
Target
3d7eee4357792eacc3168412c01963f0.exe
-
Size
216KB
-
MD5
3d7eee4357792eacc3168412c01963f0
-
SHA1
4a3a7aff126a3a66b4066a858100ffba40154d3b
-
SHA256
31bcedfdd8e21c646e994e320e3931ca3a83f31b3f04fa3e2bbab72f3774fb3e
-
SHA512
03919044f54362ff68eea96807858cc2f5dea03afb00601c0c4c5c7dcb8d145d7e785fb62a3c23058eed4d89e463d96cb75942b41d79b5f14b70137118a67770
-
SSDEEP
6144:uBhrbA1x5PZZKnvmb7/D26g4upEoadEXUqgVWLIg7gd:GA1x5PZZKnvmb7/D26GadEXUqgDg7gd
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3d7eee4357792eacc3168412c01963f0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" leupoiy.exe -
Executes dropped EXE 1 IoCs
pid Process 2280 leupoiy.exe -
Loads dropped DLL 2 IoCs
pid Process 2852 3d7eee4357792eacc3168412c01963f0.exe 2852 3d7eee4357792eacc3168412c01963f0.exe -
Adds Run key to start application 2 TTPs 35 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /u" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /E" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /D" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /e" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /a" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /y" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /V" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /d" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /C" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /P" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /k" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /U" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /b" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /X" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /Q" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /T" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /W" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /H" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /j" 3d7eee4357792eacc3168412c01963f0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /s" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /M" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /Z" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /p" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /j" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /m" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /R" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /L" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /z" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /v" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /q" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /x" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /J" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /S" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /t" leupoiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\leupoiy = "C:\\Users\\Admin\\leupoiy.exe /f" leupoiy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2852 3d7eee4357792eacc3168412c01963f0.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe 2280 leupoiy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2852 3d7eee4357792eacc3168412c01963f0.exe 2280 leupoiy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2280 2852 3d7eee4357792eacc3168412c01963f0.exe 28 PID 2852 wrote to memory of 2280 2852 3d7eee4357792eacc3168412c01963f0.exe 28 PID 2852 wrote to memory of 2280 2852 3d7eee4357792eacc3168412c01963f0.exe 28 PID 2852 wrote to memory of 2280 2852 3d7eee4357792eacc3168412c01963f0.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d7eee4357792eacc3168412c01963f0.exe"C:\Users\Admin\AppData\Local\Temp\3d7eee4357792eacc3168412c01963f0.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\leupoiy.exe"C:\Users\Admin\leupoiy.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5e810bf0a0032b0dba3bf57f980041050
SHA1c53a63df35e567e248690d8e6a6c51c9de8875f5
SHA256f6623440324f764dd362d8a688abcc58e270743701e88918cd999824b09e7c01
SHA5127b931363f67038137ac74027c15e2dd306c5076855985fe1ec45ac757e4c8fefc03b08e5d51c6fa9e0c4a0bb960dc3e878f8005801ef30066995f5710da67e6e
-
Filesize
12KB
MD5003420e78ec6cea2aaed70ea545bc81c
SHA1ec601c76536a969442d4b577a0d50e54a7baa46f
SHA256b60bb277fe352c4a4eb84c0da0da7b692cbf7357a042d0ee1fc945401ae0ee96
SHA5126f6b08650d0b248e23c6add84ea90bd715c4763cf2a962121a58f7cad2e3c9e1423d6b3a08bba30cbeba65e97147e8992acb2ce0063203531292f3c68dd592cd
-
Filesize
62KB
MD5a241f31e58f4cbd4ca8d7fb4bef535bc
SHA16d130d8d95e049ce2e0defb23b10f02d995b548f
SHA25670d2bddfb290f54e375454f045ada43727475c637004b4eafc7fe2019e4f28b2
SHA5124c3b2ab7754739e67b6aeda1cdd18c8a783ea400a02f409a7eaf7d0135d28ce5f639bf681658610a773dde9c6cbdc22fef56da75a2f5c89a956109f0fbd71388
-
Filesize
73KB
MD5e521670ae9458282df59055bec8e921e
SHA176d5c469c85bf44b8aa8be56c0ea32d6c63ac0ae
SHA256142f27b8959edf26e585a4e1c68c9a0ef2751cb36324cbe8885914f3ae47a1bf
SHA512b5b4a00ade6e3337bb37b246e57db5381f60f32046d3ad2d213e7e66a72b3e863f10ee6ee5570617fb33bdba51aba89d97917b960e965014ea664ad03f3effd7
-
Filesize
47KB
MD54838b803a73d79a775f16e8c20f78016
SHA1f168280705ba3a5e612de60d727f8b2f74382a63
SHA2565491dafde314a0d26b894cbec27816d6eff882f7fdbd5a91ea725f3612f884d4
SHA5125cedbea28ad92a899e01de395c946994467d675eaea97a436e0f9e0487a9a525ed10d49240b2b97e551d2ffb9aee2cdc5148203d4ada6543148e1ecbb656769b