Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 12:45
Static task
static1
Behavioral task
behavioral1
Sample
1f8187292660e4ab4a567f917ed5fee8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1f8187292660e4ab4a567f917ed5fee8.exe
Resource
win10v2004-20231215-en
General
-
Target
1f8187292660e4ab4a567f917ed5fee8.exe
-
Size
5.5MB
-
MD5
1f8187292660e4ab4a567f917ed5fee8
-
SHA1
832442b51532bff1a93b62e8a64509d81ea58294
-
SHA256
067454e4c56e421442cd036923c2a8b7f60f4f4ce59f4243160d36f959d1bff1
-
SHA512
be84f01f27898e933be08e5cbe75a2cdf976f5dc99876bf67171fb9c94b25863e41a823aef89ca52c3d87694ca4eb065425b1312a64baea78ca70de673a76330
-
SSDEEP
98304:gvSYro+waPiQjmjP028bc0TtJEJNx5DJXMWbD0nLWI9HJn6wz6+Ln7kr+qrRW6Ja:WpUwjmjc28Imk3jsymJn62t3UE6llYn
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 9 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4340} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463C-AFF1-A69D9E530F96} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11D3-B153-00C04F79FAA6} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383} 1f8187292660e4ab4a567f917ed5fee8.tmp Key deleted \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} 1f8187292660e4ab4a567f917ed5fee8.tmp -
Executes dropped EXE 1 IoCs
pid Process 3024 1f8187292660e4ab4a567f917ed5fee8.tmp -
Loads dropped DLL 4 IoCs
pid Process 356 1f8187292660e4ab4a567f917ed5fee8.exe 3024 1f8187292660e4ab4a567f917ed5fee8.tmp 3024 1f8187292660e4ab4a567f917ed5fee8.tmp 3024 1f8187292660e4ab4a567f917ed5fee8.tmp -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2804 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3024 1f8187292660e4ab4a567f917ed5fee8.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2804 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 356 wrote to memory of 3024 356 1f8187292660e4ab4a567f917ed5fee8.exe 28 PID 356 wrote to memory of 3024 356 1f8187292660e4ab4a567f917ed5fee8.exe 28 PID 356 wrote to memory of 3024 356 1f8187292660e4ab4a567f917ed5fee8.exe 28 PID 356 wrote to memory of 3024 356 1f8187292660e4ab4a567f917ed5fee8.exe 28 PID 356 wrote to memory of 3024 356 1f8187292660e4ab4a567f917ed5fee8.exe 28 PID 356 wrote to memory of 3024 356 1f8187292660e4ab4a567f917ed5fee8.exe 28 PID 356 wrote to memory of 3024 356 1f8187292660e4ab4a567f917ed5fee8.exe 28 PID 3024 wrote to memory of 2764 3024 1f8187292660e4ab4a567f917ed5fee8.tmp 29 PID 3024 wrote to memory of 2764 3024 1f8187292660e4ab4a567f917ed5fee8.tmp 29 PID 3024 wrote to memory of 2764 3024 1f8187292660e4ab4a567f917ed5fee8.tmp 29 PID 3024 wrote to memory of 2764 3024 1f8187292660e4ab4a567f917ed5fee8.tmp 29 PID 2764 wrote to memory of 2804 2764 cmd.exe 31 PID 2764 wrote to memory of 2804 2764 cmd.exe 31 PID 2764 wrote to memory of 2804 2764 cmd.exe 31 PID 2764 wrote to memory of 2804 2764 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe"C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:356 -
C:\Users\Admin\AppData\Local\Temp\is-44CHU.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp"C:\Users\Admin\AppData\Local\Temp\is-44CHU.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp" /SL5="$5014E,5495633,56832,C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe"2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-EIFSI.tmp\ex.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD51b90baade036c74a61bf32bbbe2c5c2b
SHA1b4e8019a5683821e6c9fefb7ccd989e40fa925e9
SHA2563cf08cf0b3e3052186e1a6ba47b096d862117db9bb125541333734c63cc0ec9a
SHA512ded9824dc59d3a026e6a522ffdcbcd7b85f6e0b9dc93c9d9a7c04d02d92ab8ea1568bf9df8029e50c38175b95944e7e9ada1e62c19f3969cf5793f35777d44dc
-
Filesize
786B
MD559cd6d362574f68058171536b8679dc9
SHA1775eb8b41a72f7b2caef6418468d366207ad8a04
SHA256853bac6735a1abc969f6a427bf2f44b77e4cea8ce6ea18b29f526b1d89849a63
SHA5121b8e8284521f1260fb4c690aee94fe0101984db9d2f81d9e07e8e25ab0771453516dcaa707b20cda88e94d9cc9261abbf3554a751a642cf9886b0ff328885505
-
Filesize
691KB
MD524c26b99dd41ade8904deac62dc652ec
SHA17f7128fb6858929d3634bc093770830c759b09c5
SHA256e2877ee4bce324043f7635ae962110d7fc9dfe1af8eb75d352e83aaa55af3c06
SHA5120cf836d10bc9012348fb3433b52b825e34ee04ed247c13337e35d2c6bba48667a85331c2dedffd6305b76b18c733d485d6d185158cd3fb77a53f8a0c7122c78d
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
200KB
MD5d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df