Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
194s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 14:42
Behavioral task
behavioral1
Sample
2669bcf7c0017f24ae73072ce64db9b6.exe
Resource
win7-20231215-en
General
-
Target
2669bcf7c0017f24ae73072ce64db9b6.exe
-
Size
298KB
-
MD5
2669bcf7c0017f24ae73072ce64db9b6
-
SHA1
0292296d1591ad7b2072eb78b207190f206a03b5
-
SHA256
28f8b5f89ad7d768a542793ec6788e182a5be2d13c27819f0a778cdba7951f1b
-
SHA512
9131325f849ba9e91ad2d702f33a6fd91b55847683453346fc6d76a322bcd0b1aaa2b8c47375d542309e889ce2196e2d7ae766e22a48e784dca9bf5fd37580c3
-
SSDEEP
6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLqIYP:v6Wq4aaE6KwyF5L0Y2D1PqLa
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 1236 svhost.exe -
resource yara_rule behavioral1/memory/2872-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2872-1-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x001000000000b1f5-5.dat upx behavioral1/memory/1236-6-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x001000000000b1f5-7.dat upx behavioral1/files/0x0034000000012337-67.dat upx behavioral1/memory/2872-687-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-707-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2872-714-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-1304-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-1480-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-2076-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-2918-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-3833-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-4627-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-5608-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-6548-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-7547-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-8876-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-9797-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/1236-10818-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\o: svhost.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2872-687-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-707-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2872-714-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-1304-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-1480-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-2076-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-2918-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-3833-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-4627-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-5608-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-6548-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-7547-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-8876-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-9797-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/1236-10818-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 2669bcf7c0017f24ae73072ce64db9b6.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1236 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe 1236 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2872 wrote to memory of 1236 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 29 PID 2872 wrote to memory of 1236 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 29 PID 2872 wrote to memory of 1236 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 29 PID 2872 wrote to memory of 1236 2872 2669bcf7c0017f24ae73072ce64db9b6.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2669bcf7c0017f24ae73072ce64db9b6.exe"C:\Users\Admin\AppData\Local\Temp\2669bcf7c0017f24ae73072ce64db9b6.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1236
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD566c91a45c55291d076c7f97b7182c09f
SHA1f9d9326c8e8c18ede4d7c4d4484313bf31af3d6c
SHA2563f48586b0fbcf0a697415fa37f777831eee288edcceca9aa9f7023a5e5b844f7
SHA51222cfb08bf33a5cddd4c80628e27ce4ccd30825582d4c69132f183c57b178b681708c37a17560a6d4bbb2428289e1f47c94fda850560741eea19544807575b8ba
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
298KB
MD5171e4a295b7160a99ca9ec1613d4a24d
SHA177c896ee903df2e1927eb08195750bd17c26cbc9
SHA2564d149968b7ef94990fb36ca605a9238a4dfe534ac3199124074ac312b40c2389
SHA5123a4b310a60f3db30a2baa015142fd9bec84df77af440e584d4e3890aa06ee230783a78ad52b66623bfec35e656725886b6004f60b896c1a1407f34d1d837b6f2