Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
25/12/2023, 10:20
General
-
Target
16c6a18068bb263ad4bfcf73e2f56a07.exe
-
Size
837KB
-
MD5
16c6a18068bb263ad4bfcf73e2f56a07
-
SHA1
dff7575994aa8e29087de27762bc0a440b7ad21d
-
SHA256
26ef94868657fe364fd2ea43f50c0a36bdd9132dcf7c3f73e520bd4bc6e0c0f3
-
SHA512
fe3804396f8f27706aacabb3c1dc6ed065aaced18b44d671f4b2cf229b57addbf34f9b1dedb65f96378603467a58bb01c57a5e92622440e53e5bfbcbd1424483
-
SSDEEP
12288:UZWtI6RkqOB0heZJys73dOvXDpNjNe8XOwOB0heZJys73dOvXDpNjNe8/:UuhaqOieZJ8NI8jOieZJ8NI8/
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Blocks application from running via registry modification 17 IoCs
Adds application to list of disallowed applications.
-
Sets file execution options in registry 2 TTPs 20 IoCs
-
Executes dropped EXE 2 IoCs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 38 IoCs
-
Drops file in Windows directory 9 IoCs
-
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Runs net.exe
-
Runs regedit.exe 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c6a18068bb263ad4bfcf73e2f56a07.exe"C:\Users\Admin\AppData\Local\Temp\16c6a18068bb263ad4bfcf73e2f56a07.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y3⤵
-
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\regedt32.sys2⤵
- Modifies visibility of file extensions in Explorer
- Blocks application from running via registry modification
- Sets file execution options in registry
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵
-
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe2⤵
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 12:32:34 AM C:\Windows\Sysinf.bat3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 12:29:34 AM C:\Windows\Sysinf.bat3⤵
-
-
C:\Windows\SysWOW64\At.exeAt.exe 12:30:32 AM C:\Windows\Help\HelpCat.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 12:32:31 AM C:\Windows\Sysinf.bat2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 12:29:31 AM C:\Windows\Sysinf.bat2⤵
-
-
C:\Windows\SysWOW64\At.exeAt.exe 12:30:29 AM C:\Windows\Help\HelpCat.exe2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y3⤵
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\16c6a18068bb263ad4bfcf73e2f56a07~4.exe16c6a18068bb263ad4bfcf73e2f56a07~4.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y1⤵
-
C:\Windows\SysWOW64\at.exeat 12:29:31 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵
-
C:\Windows\SysWOW64\at.exeat 12:32:31 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat1⤵
-
C:\Windows\SysWOW64\at.exeat 12:32:34 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\at.exeat 12:29:34 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5191408b034c8a553a083f9049040b4d1
SHA1083d0d4b0644e073812d0ed82393041a7c4c11c4
SHA25698d5816f74aa6dc0d309bed60816bce693b89b6c84dc531df120b5db9ef1847c
SHA512651abefd0e4ca65e142fe252abbbb8267e8e829121e11724751ea6869249e78952a3611504fa584efdc42e66bf14463dc12586067f1226c6ea9f187fa2759acd
-
Filesize
82B
MD53f7fbd2eb34892646e93fd5e6e343512
SHA1265ac1061b54f62350fb7a5f57e566454d013a66
SHA256e75e8d9bfc7a2876d908305186c3656e9de2a4af7f6927ccc6d8c812645abbc7
SHA51253d40eb2f05a23464fbf06193868e7cb30cf0df3da53586a75123fb2c37b29cdddda287ce134809d16a559d87fb20aee0e8add22d396fcb7a55f9a753739b140
-
Filesize
460B
MD57db3d565d6ddbe65a8b0e093910e7dcd
SHA1d4804e6180c6e74ba79d3343f2f2ccb15e502f12
SHA256a2778cb87fd88c7508ffd506a8ff8d58d0ffc02156f846956e5e99c6cb3d2f3f
SHA5120b3d1d0f44feba9dd78903ff77fdeaea834d930990a86641fb2e4ce04da280d33f6bee0ae0b1320e4070cbe20824062e45b52e5cad797c5985d8e31dce1ef82b
-
Filesize
665KB
MD5c1de55c2044e231e661cded25cf2934b
SHA1d1860a0dc298a5b15d015bfdc281168f04f2d5be
SHA256af5ddcf7a9b4d321c9774b7c665be20b4431fac6d85a87073b0b347d811a25ed
SHA512b65206ec17a60bf6c61e47b7098ff21e417397d891d15ce020bf453f54574e56e0bc0f6b8f31aee55cfd276ad7af35e9142053a9776b1a8ffe5b6544e0ee74e1
-
Filesize
356KB
MD5acb82c01dfc202c94887baa38cfd2278
SHA173eb5ae520d200bc4216552541b092c0c8f5cea7
SHA2565b7dc5a571d6fd50fe31258ddb5d4f6422dec0934d72791ebccf0a6955f5b6f6
SHA512dca46d1bb9f64024889139dc62270f0072c01b9a1a74d265b3e21786b5d21d04494f75fa50bea3ae1bb646b6e2c1ea91f12c5c373ff21e71c6c563f591693c33
-
Filesize
2KB
MD5e7d7ec66bd61fac3843c98650b0c68f6
SHA1a15ae06e1be51038863650746368a71024539bac
SHA2566475d5ecc14fea090774be55723d2d52b7ec7670527a7dbd61edf28c77944cb8
SHA512ac9e9893f5a0af03957731445f63279085f164e9a968d706a99d13012e4459314a7ccc32dc48f62379d69e21a0953c13543c9ded38b5ad5fbc346aa442af1ae6
-
Filesize
40KB
MD5790beab677bd5e2a05d6933f70e6079a
SHA1e65de832d772048ed0dc715cc3d7c2656e22d221
SHA25689e726a7c918d127abbb00034cdcfb3a2b1e34bf7a3afcc298792983b96d2c41
SHA5123b52c07d958dbc23d8d5f818739e7cb0d469e5c61e775828de4205d3d6393b4d5f06739f30116ea29a9518d3f4e00724cf65e008bf02ffc4f82bdb6c705a7b1e
-
Filesize
237B
MD594bcd02c5afd5918b4446345e7a5ded9
SHA179839238e84be225132e1382fae6333dfc4906a1
SHA2565d9f41e4f886926dae2ed8a57807708110d3c6964ab462be21462bff0088d9a1
SHA512149f6bd49fc3b62fa5f41666bfb3a58060514eec1b61c6aa1ac4c75417c840b028e701eb5533460eb00e2fee8543379564bc47d7477264771d81b99a0caab500
-
Filesize
216KB