Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 04:42

General

  • Target

    05c2832548779cc63710886b102d4640.exe

  • Size

    101KB

  • MD5

    05c2832548779cc63710886b102d4640

  • SHA1

    4a1a60af539c38b4859275dcdbe0b9b03d3c786c

  • SHA256

    13f84881b5d8c5cde33a4d73a5e348534aa2b03583e96b140488080bad5f7d7a

  • SHA512

    25fbcb6b994f521defca3b71de9a6f3b0789c492f4fb4a07d5af1693ac34f5e0e4ec2ab334bef0d9238347c2c8f24f11cf6502c43f01d6969465b0362ea21c9c

  • SSDEEP

    1536:igYPhQXwIiPrrjThO+lUBrzCxry1ec7rUyj239au7538iJkZVa/4p0ND3Y:FYP2XerzhOUxu/XUtauF8iJkZ84pao

Score
4/10

Malware Config

Signatures

  • Drops file in Program Files directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 38 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05c2832548779cc63710886b102d4640.exe
    "C:\Users\Admin\AppData\Local\Temp\05c2832548779cc63710886b102d4640.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files\WindWare\tb.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2816
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "InfoTip" /t REG_SZ /d "╠╘▒ª╣║╬∩╠╪╝█╙┼╗▌╟°" /f
    1⤵
    • Modifies registry class
    PID:2388
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32"
    1⤵
    • Modifies registry class
    PID:2728
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f
    1⤵
    • Modifies registry class
    PID:1684
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f
    1⤵
    • Modifies registry class
    PID:3000
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f
    1⤵
    • Modifies registry class
    PID:2616
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f
    1⤵
    • Modifies registry class
    PID:2640
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder"
    1⤵
    • Modifies registry class
    PID:2628
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.9281.net/go/taobao.htm" /f
    1⤵
    • Modifies registry class
    PID:2596
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)\Command"
    1⤵
    • Modifies registry class
    PID:2580
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f
    1⤵
    • Modifies registry class
    PID:2560
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\╠╘▒ª-╣║╬∩(&H)"
    1⤵
    • Modifies registry class
    PID:2564
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell" /ve /t REG_SZ /d "╠╘▒ª-╣║╬∩(&H)" /f
    1⤵
    • Modifies registry class
    PID:2620
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell"
    1⤵
    • Modifies registry class
    PID:2676
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
    1⤵
    • Modifies registry class
    PID:2732
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f
    1⤵
    • Modifies registry class
    PID:2824
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "C:\Program Files\Internet Explorer\iedw.ico" /f
    1⤵
    • Modifies registry class
    PID:2360
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon"
    1⤵
    • Modifies registry class
    PID:2588
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}" /v "LocalizedString" /t REG_SZ /d "╠╘▒ª-╣║╬∩" /f
    1⤵
    • Modifies registry class
    PID:2740
  • C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CLASSES_ROOT\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"
    1⤵
    • Modifies registry class
    PID:2844
  • C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C .\tbb.cmd
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\WindWare\iedw.ico

    Filesize

    14KB

    MD5

    468fada123f5548ac87e57bae81f6782

    SHA1

    edb8f012c25906e6afd8bf335b495e16c440243d

    SHA256

    091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

    SHA512

    635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

  • C:\Program Files\WindWare\tb.vbs

    Filesize

    127B

    MD5

    9c06bf76c6711c2366c8895393cc54e1

    SHA1

    ed3ec44e280dd5840a022e2a878e9d6a0cc2f87a

    SHA256

    e775e69f73ec09a0024b6f3efd309090cd9ff149fc3bc8a9d0e6faf17e53615d

    SHA512

    6e8d2a6f403f8c56a242611e3e1c18ae53a80612a58207510f3cc204572243637a3de758e27af213a37ccf6b7dc69c611215c5fb0de0f4f2bcd41fef06ecaf10

  • C:\Program Files\WindWare\tbb.cmd

    Filesize

    2KB

    MD5

    2cf45d3fd1abea440d5c3b6bba482e2f

    SHA1

    28794d41bf5be9710047f70e4ef4663bab63a97c

    SHA256

    799d3d37249f8254406e120964f6abbd6a7040c46344d60213d1a58050d8f345

    SHA512

    38af05a303f425324a575ddf94c9f85cf21ef61155b8b9b4eb900636639c3ac4df669cc9490c862f44383d67500b6e569541edf0981790b3588e85c9aa42d1c8