Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 12:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f86a188e113abd36d93f13f5ec8226d.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
1f86a188e113abd36d93f13f5ec8226d.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
1f86a188e113abd36d93f13f5ec8226d.exe
-
Size
240KB
-
MD5
1f86a188e113abd36d93f13f5ec8226d
-
SHA1
30c60924ff5f9a9b7e90a532cb477a804493cbbf
-
SHA256
8e16599b03092046a826a79d53e47d2fa5c8fbfb1e9d78a3ab5b43245350187c
-
SHA512
8a7ea14ba9d7adbb530e6fa23d99af64848ced73f6d7196ed3b4a7f55349a7426aa8f779dbd236d9c2a1939a13f5dc2b7361da37560055c92858e9c5dbf07a4b
-
SSDEEP
6144:fUB3dwqsNwemAB0EqxF6snji81RUinKchhytS3n:0dQQJsU3
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 1f86a188e113abd36d93f13f5ec8226d.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ziinee.exe -
Executes dropped EXE 1 IoCs
pid Process 2144 ziinee.exe -
Loads dropped DLL 2 IoCs
pid Process 1220 1f86a188e113abd36d93f13f5ec8226d.exe 1220 1f86a188e113abd36d93f13f5ec8226d.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /l" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /e" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /j" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /g" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /s" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /x" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /m" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /r" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /n" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /m" 1f86a188e113abd36d93f13f5ec8226d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /t" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /v" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /q" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /y" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /c" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /z" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /h" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /w" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /f" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /a" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /b" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /p" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /u" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /d" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /k" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /i" ziinee.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziinee = "C:\\Users\\Admin\\ziinee.exe /o" ziinee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1220 1f86a188e113abd36d93f13f5ec8226d.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe 2144 ziinee.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1220 1f86a188e113abd36d93f13f5ec8226d.exe 2144 ziinee.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1220 wrote to memory of 2144 1220 1f86a188e113abd36d93f13f5ec8226d.exe 28 PID 1220 wrote to memory of 2144 1220 1f86a188e113abd36d93f13f5ec8226d.exe 28 PID 1220 wrote to memory of 2144 1220 1f86a188e113abd36d93f13f5ec8226d.exe 28 PID 1220 wrote to memory of 2144 1220 1f86a188e113abd36d93f13f5ec8226d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f86a188e113abd36d93f13f5ec8226d.exe"C:\Users\Admin\AppData\Local\Temp\1f86a188e113abd36d93f13f5ec8226d.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\ziinee.exe"C:\Users\Admin\ziinee.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5741e7aafac104ffa82a6fabded769d6a
SHA1ba5d2c1ac4bbec773ef64db091f553e143fb6921
SHA256e012e6b2104ecb30bd08fe9dc46dce75f05c809643a0a46d4bfa6731ca90f5d5
SHA5120273cde2c18126b86fcc190479406cda6a32906df603961d9e4db4967c71629da45ff7e4f4ce8e3eda046ae8c228960e2d31a0c1ceef0debf94adf40ea891025
-
Filesize
65KB
MD55fd8d567c44c25793832a6b7fbf49fe7
SHA18976cd00a4d59c127e277cc448fcbc34f84760ba
SHA256b3abdeacef21ac46fb53bb20056186ccfcf9e5716a3acc6c0b77cf733b5223a9
SHA51288a3585f583af5b1e7d88e5e4ffaacde7f213453d0695483cd68a3c500114bd8cad08273a39c2dd66a6b2a2472e8d54b9151894e32bfdca2575283e7249610bc