Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 01:08
Static task
static1
Behavioral task
behavioral1
Sample
1f4dff7c3f155ecf672fcc5258001a5e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1f4dff7c3f155ecf672fcc5258001a5e.exe
Resource
win10v2004-20231215-en
General
-
Target
1f4dff7c3f155ecf672fcc5258001a5e.exe
-
Size
72KB
-
MD5
1f4dff7c3f155ecf672fcc5258001a5e
-
SHA1
28f33ba3ff471cd4979b66049096b3f26034599d
-
SHA256
8e39ea0fcd41322b3523eb56e6353e7234e7d4754fb0e8cd48a102e4f7883790
-
SHA512
805196d794c37e4f89e35828defce05e42fa30906df64f4d96335668c4dbaac3383e8fab66481c01a677ff0cab37f06731bb842178a1f03090a6bd54bd4b2174
-
SSDEEP
1536:73i6EBXlLOUp5/HNi/SZKWcb+sp9NLMXy3i6EP:0LOUp5/HNi/SQ5Csp9NLa
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Admin.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Admin.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Admin.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Admin.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Admin.exe Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 1f4dff7c3f155ecf672fcc5258001a5e.exe -
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe Admin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe Admin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe Admin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe Admin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe 1f4dff7c3f155ecf672fcc5258001a5e.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe Admin.exe -
Executes dropped EXE 5 IoCs
pid Process 2452 Admin.exe 2888 Admin.exe 2792 Admin.exe 2648 Admin.exe 2624 Admin.exe -
Loads dropped DLL 10 IoCs
pid Process 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\system3 = "C:\\Users\\Public\\Documents\\Admin.exe" 1f4dff7c3f155ecf672fcc5258001a5e.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\system5 = "C:\\ProgramData\\Admin.exe" 1f4dff7c3f155ecf672fcc5258001a5e.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Admin.exe File opened (read-only) \??\N: Admin.exe File opened (read-only) \??\U: Admin.exe File opened (read-only) \??\L: Admin.exe File opened (read-only) \??\A: Admin.exe File opened (read-only) \??\V: Admin.exe File opened (read-only) \??\Q: Admin.exe File opened (read-only) \??\O: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\R: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\O: Admin.exe File opened (read-only) \??\T: Admin.exe File opened (read-only) \??\K: Admin.exe File opened (read-only) \??\P: Admin.exe File opened (read-only) \??\S: Admin.exe File opened (read-only) \??\O: Admin.exe File opened (read-only) \??\M: Admin.exe File opened (read-only) \??\V: Admin.exe File opened (read-only) \??\T: Admin.exe File opened (read-only) \??\R: Admin.exe File opened (read-only) \??\K: Admin.exe File opened (read-only) \??\P: Admin.exe File opened (read-only) \??\L: Admin.exe File opened (read-only) \??\L: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\U: Admin.exe File opened (read-only) \??\A: Admin.exe File opened (read-only) \??\E: Admin.exe File opened (read-only) \??\N: Admin.exe File opened (read-only) \??\P: Admin.exe File opened (read-only) \??\S: Admin.exe File opened (read-only) \??\U: Admin.exe File opened (read-only) \??\S: Admin.exe File opened (read-only) \??\G: Admin.exe File opened (read-only) \??\J: Admin.exe File opened (read-only) \??\K: Admin.exe File opened (read-only) \??\Q: Admin.exe File opened (read-only) \??\V: Admin.exe File opened (read-only) \??\J: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\Q: Admin.exe File opened (read-only) \??\R: Admin.exe File opened (read-only) \??\J: Admin.exe File opened (read-only) \??\M: Admin.exe File opened (read-only) \??\P: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\B: Admin.exe File opened (read-only) \??\A: Admin.exe File opened (read-only) \??\B: Admin.exe File opened (read-only) \??\G: Admin.exe File opened (read-only) \??\K: Admin.exe File opened (read-only) \??\N: Admin.exe File opened (read-only) \??\B: Admin.exe File opened (read-only) \??\E: Admin.exe File opened (read-only) \??\I: Admin.exe File opened (read-only) \??\N: Admin.exe File opened (read-only) \??\E: Admin.exe File opened (read-only) \??\A: Admin.exe File opened (read-only) \??\U: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\U: Admin.exe File opened (read-only) \??\H: Admin.exe File opened (read-only) \??\M: Admin.exe File opened (read-only) \??\R: Admin.exe File opened (read-only) \??\O: Admin.exe File opened (read-only) \??\Q: Admin.exe File opened (read-only) \??\H: Admin.exe File opened (read-only) \??\H: 1f4dff7c3f155ecf672fcc5258001a5e.exe File opened (read-only) \??\S: 1f4dff7c3f155ecf672fcc5258001a5e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
pid Process 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 2452 Admin.exe 2888 Admin.exe 2792 Admin.exe 2648 Admin.exe 2624 Admin.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 2452 Admin.exe 2888 Admin.exe 2792 Admin.exe 2648 Admin.exe 2624 Admin.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2452 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 28 PID 2296 wrote to memory of 2452 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 28 PID 2296 wrote to memory of 2452 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 28 PID 2296 wrote to memory of 2452 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 28 PID 2296 wrote to memory of 2888 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 29 PID 2296 wrote to memory of 2888 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 29 PID 2296 wrote to memory of 2888 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 29 PID 2296 wrote to memory of 2888 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 29 PID 2296 wrote to memory of 2792 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 30 PID 2296 wrote to memory of 2792 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 30 PID 2296 wrote to memory of 2792 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 30 PID 2296 wrote to memory of 2792 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 30 PID 2296 wrote to memory of 2648 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 31 PID 2296 wrote to memory of 2648 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 31 PID 2296 wrote to memory of 2648 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 31 PID 2296 wrote to memory of 2648 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 31 PID 2296 wrote to memory of 2624 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 32 PID 2296 wrote to memory of 2624 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 32 PID 2296 wrote to memory of 2624 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 32 PID 2296 wrote to memory of 2624 2296 1f4dff7c3f155ecf672fcc5258001a5e.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f4dff7c3f155ecf672fcc5258001a5e.exe"C:\Users\Admin\AppData\Local\Temp\1f4dff7c3f155ecf672fcc5258001a5e.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
C:\Users\Public\Documents\Admin.exe"C:\Users\Public\Documents\Admin.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2792
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Admin.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Admin.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
C:\ProgramData\Admin.exe"C:\ProgramData\Admin.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2624
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD5a5a853c6d00d4fbf544d1460562b5ccb
SHA1fc4acdcd5e9e1329617f0001052d24119f3f4d51
SHA25690d4ad507f8167b37d085c68abc1a5e44aad19c434381044574d4d22a8adf987
SHA5127b3f0c05157eabf61e7b013dd45dd270bce3d47ef2d307ca64b854290f42f706ebb877649827ed034c14c3a05445d37d742b899708d9ccd58929911d61e99ebe
-
Filesize
148B
MD5cda423add6ca97abc97fb9cb69f8c815
SHA16b1f2966db198cebf04e26441d4ffeb5ad0c3d61
SHA256fdf9ea2931bdee826f2dc93ac9668ef89bdfc50763f9da660b1f3605d3e55c8f
SHA5128097d0f5103a8f245f8a14a250efa721d39e8510afb575bb1dfe11640cacb3f471fba0b115643cc9a8b6a6bcb2ce8261189245404c3d8696247bf25627c9c561
-
Filesize
147B
MD533f5b742a3e851a688e782c501af1c18
SHA1de3b25e7c2e2e8e33d051830ce36454fd75b62d9
SHA256469e3407ca2cf02bcdbafedf192e1b757f35df66509156aff369c71c53f6f7e9
SHA51229cfa6ce663313480dc224acd0489e5e26bbf331abbb5642f29550cf01aa2d5e4aa78a5c277445ed4adf178984da5e34291c16a601c5d33100497670e5a8a01f
-
Filesize
147B
MD5fbceac982a959154282e557208b53ae2
SHA171a4ab87bc42d1d37235b41068866a1c8f41f9b9
SHA256e5340301a32bb9b231c34c5996797c113548f342d78a9042957a2c97b713b593
SHA5123ff2b2c44e4f31242a3142ebaf5b4ea301b4eb8f0d18600aca9a2bd128bc2dba88b69fe00d47da01f31d9b508e9a871a688790944ffa5649706d319cc6bb7b1f
-
Filesize
148B
MD558552c233e139e673fd7f4915a47f887
SHA1313c2d10159e076875021da3fa0537d3989fecc3
SHA2565c83bea8c36792399c01bff8e69439e62e06403c88e8be391bd20bed1ca9000d
SHA512ae8b9730a2a48a94915f0b847031f9e67306896340fde3ec6eb0224d95f14ba42a12a963ae52e01af860546592c01a8632efb707e0035be8e41457e5504fdb60
-
Filesize
90B
MD5c82f833faca10bba30c23de2e57f0586
SHA1a5e46aff91fca87769a7c72417fc3cd3fbb915a8
SHA256a7ca938f80919768a4935d2810c76bcc33c08bfd72653781da1d6b0f5429dea8
SHA512a30ea2260baba0c9e6bd5f5bf3c3b10dd398c0537e11a5714f27f05cd824b3322cf774b2d74f73c8a55b6a31ea336e80d94b4ffd39c0be2a27155a81988573ae
-
Filesize
147B
MD5547c1a1be5fc101241e9be37197f1bf4
SHA19a8a2888aa836dfb6cfe393f83ee5f3ae8791933
SHA256544f2e2fae22c8a76fb833a2fb00f273901005de802d7d6c665857fc1cdfe9c3
SHA512fcef0fd8de522ef8c6f0e3676fe420272200ab0006debb5a251c415535027c29ad9633f474531d6cbdeabb45d229942acb91a7cda6be209f21f144ca2b72d47e
-
Filesize
147B
MD5abb93b71d271fa99b823cbb66dde0487
SHA15b2b516e0105f3a5c5de19c8c7611dfa80c57ce8
SHA256966ebb0df1376b2a6cc6cd325d231ad6767c855ed836fe8f2fd6ceb7a9bfcde9
SHA512877f69274ad26a78bf21954679680a5eac5e2985d73dea5c3ba0bdd6522d5e3aea51e2b67089b2a8099468ad118b7e7abbe347a4597824807bfb65ec224dda79
-
Filesize
147B
MD55813d838307e0bd7e93a1524b08fa480
SHA14d2475d936bf12131bb3b67d98256a030cb481b2
SHA2568a56a910396d6f1c4b7a5b0a2826e7276218912e311c4d32ab4d8d039dd14052
SHA51250fb7c23f6a643b6a1229af6ec4d4f0f164b8aaf81578e62b6e3ea8a6e9c0202a8e17c85b55c951aeb6e9c3127497e7d626cc60f7bce3a05a10c38e43dab3358
-
Filesize
148B
MD53b49cd87dcb224e2daa7d33657eb89e0
SHA1ecf0bf79e98c49894f66ee16468ccc0872e97624
SHA2567452210e4282a2d9bc45136381cbf7afeccccf7a55f649fb888024c5d90173bd
SHA512c63ba68ade6d6eae98a8b3ba63b0419b77bf7f765f77567741d082ad21d945e1c0a1c4ac31f01b83a98fbe4d58dbac85ad877b4ea7abb75dbaaecea02060f485
-
Filesize
147B
MD516d0ecbf6fc2f96d216d437101319372
SHA1b96f72f054a0ab38dbb1a9f875916ec0012343dd
SHA2568cc088c289022eeb36647425c32c0c0880043d1ecd30946f97b9e4602f64c50e
SHA5124da7303844d584fe717b180592d99310c75ab1f2eaf6bf5701b3d87f27796be73c77e3736a43294a05a197fc3c183664969dbb87d7bec64bf4fffa8389e6eb2f
-
Filesize
72KB
MD51f4dff7c3f155ecf672fcc5258001a5e
SHA128f33ba3ff471cd4979b66049096b3f26034599d
SHA2568e39ea0fcd41322b3523eb56e6353e7234e7d4754fb0e8cd48a102e4f7883790
SHA512805196d794c37e4f89e35828defce05e42fa30906df64f4d96335668c4dbaac3383e8fab66481c01a677ff0cab37f06731bb842178a1f03090a6bd54bd4b2174