Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 05:37
Behavioral task
behavioral1
Sample
0882034042f4b2c2d9ea830a30536054.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0882034042f4b2c2d9ea830a30536054.exe
Resource
win10v2004-20231215-en
General
-
Target
0882034042f4b2c2d9ea830a30536054.exe
-
Size
95KB
-
MD5
0882034042f4b2c2d9ea830a30536054
-
SHA1
909a542a46057eb46fe48ff40b6c0d6157f102bf
-
SHA256
4ee3c4ed238e0b65b0e03e41c1ffe9c4317666dc5841fe8221756b4dd56466b9
-
SHA512
0fb1fc5bb796db23b2d4d4f1b996af907545a722f78a17d56269048797ce20390396af98aa2fd3ba8b7ae421412cc34d09acb40b92a3a3bc71b7166fce35d99a
-
SSDEEP
1536:gtWIGeD2IeDULK4QntaHnO0vRNfldcO3IuCbpZXsH2zhEw2GZsLAPd+9YQLeuhdP:JIB304QV0vRNfldc+wbzuYSw/sYd+9HH
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2420 9DDCFF4D6D4.exe 2852 A9HC8EA.exe -
Loads dropped DLL 4 IoCs
pid Process 2520 0882034042f4b2c2d9ea830a30536054.exe 2520 0882034042f4b2c2d9ea830a30536054.exe 2420 9DDCFF4D6D4.exe 2420 9DDCFF4D6D4.exe -
resource yara_rule behavioral1/memory/2520-0-0x0000000000330000-0x0000000000388000-memory.dmp upx behavioral1/files/0x000d0000000122dc-11.dat upx behavioral1/memory/2520-64-0x0000000000330000-0x0000000000388000-memory.dmp upx behavioral1/memory/2420-37-0x0000000001100000-0x0000000001158000-memory.dmp upx behavioral1/memory/2420-20-0x0000000001100000-0x0000000001158000-memory.dmp upx behavioral1/memory/2520-13-0x0000000001100000-0x0000000001158000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\3J5F9GYC5F1JXH0DDIMTEVEZSFEYV = "C:\\winsys\\9DDCFF4D6D4.exe /q" A9HC8EA.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PhishingFilter A9HC8EA.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" A9HC8EA.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" A9HC8EA.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery A9HC8EA.exe Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" A9HC8EA.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2520 0882034042f4b2c2d9ea830a30536054.exe 2520 0882034042f4b2c2d9ea830a30536054.exe 2420 9DDCFF4D6D4.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe 2852 A9HC8EA.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2520 0882034042f4b2c2d9ea830a30536054.exe Token: SeDebugPrivilege 2520 0882034042f4b2c2d9ea830a30536054.exe Token: SeDebugPrivilege 2520 0882034042f4b2c2d9ea830a30536054.exe Token: SeDebugPrivilege 2520 0882034042f4b2c2d9ea830a30536054.exe Token: SeDebugPrivilege 2420 9DDCFF4D6D4.exe Token: SeDebugPrivilege 2420 9DDCFF4D6D4.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe Token: SeDebugPrivilege 2852 A9HC8EA.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2420 2520 0882034042f4b2c2d9ea830a30536054.exe 32 PID 2520 wrote to memory of 2420 2520 0882034042f4b2c2d9ea830a30536054.exe 32 PID 2520 wrote to memory of 2420 2520 0882034042f4b2c2d9ea830a30536054.exe 32 PID 2520 wrote to memory of 2420 2520 0882034042f4b2c2d9ea830a30536054.exe 32 PID 2420 wrote to memory of 2852 2420 9DDCFF4D6D4.exe 31 PID 2420 wrote to memory of 2852 2420 9DDCFF4D6D4.exe 31 PID 2420 wrote to memory of 2852 2420 9DDCFF4D6D4.exe 31 PID 2420 wrote to memory of 2852 2420 9DDCFF4D6D4.exe 31 PID 2420 wrote to memory of 2852 2420 9DDCFF4D6D4.exe 31 PID 2420 wrote to memory of 2852 2420 9DDCFF4D6D4.exe 31 PID 2852 wrote to memory of 2520 2852 A9HC8EA.exe 18 PID 2852 wrote to memory of 2520 2852 A9HC8EA.exe 18 PID 2852 wrote to memory of 2520 2852 A9HC8EA.exe 18 PID 2852 wrote to memory of 2520 2852 A9HC8EA.exe 18
Processes
-
C:\Users\Admin\AppData\Local\Temp\0882034042f4b2c2d9ea830a30536054.exe"C:\Users\Admin\AppData\Local\Temp\0882034042f4b2c2d9ea830a30536054.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\winsys\9DDCFF4D6D4.exe"C:\winsys\9DDCFF4D6D4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\A9HC8EA.exe"C:\Users\Admin\AppData\Local\Temp\A9HC8EA.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD529090b6b4d6605a97ac760d06436ac2d
SHA1d929d3389642e52bae5ad8512293c9c4d3e4fab5
SHA25698a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272
SHA5129121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be
-
Filesize
4KB
MD5db4994dec26adf9d09a9bab24a2dcca8
SHA12535863a5e35952b2dabc8068fc139aa0c87a7ab
SHA256a298f8b9708d98dfa473426493d6b5d87b58938defab1e3ff7ecfa7adcff1f4e
SHA51271db8ef68660d57c08f135d56fe506ea824a601b3df4e369a0780ec5a58f9480aa2f7a9d5b00a508439b82d92418c20a741807190226066fd15c8a39ff26e5de
-
Filesize
95KB
MD50882034042f4b2c2d9ea830a30536054
SHA1909a542a46057eb46fe48ff40b6c0d6157f102bf
SHA2564ee3c4ed238e0b65b0e03e41c1ffe9c4317666dc5841fe8221756b4dd56466b9
SHA5120fb1fc5bb796db23b2d4d4f1b996af907545a722f78a17d56269048797ce20390396af98aa2fd3ba8b7ae421412cc34d09acb40b92a3a3bc71b7166fce35d99a