Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 04:38
Static task
static1
Behavioral task
behavioral1
Sample
54d1ea41db69c34d3704c96515d5b1e9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
54d1ea41db69c34d3704c96515d5b1e9.exe
Resource
win10v2004-20231222-en
General
-
Target
54d1ea41db69c34d3704c96515d5b1e9.exe
-
Size
300KB
-
MD5
54d1ea41db69c34d3704c96515d5b1e9
-
SHA1
25dada3cbd9b0a683a65df884cd76dc41897d219
-
SHA256
71f26ec4de6a595881a1a235e29ffea8a4b0794000ffb780c2fe37e98ca34c76
-
SHA512
864a24cb79bbc270cdd49c5fbb81c54f6243be2734b1834842e7219ce47c889e2f4c2b6d0f87326d775029dc87d2c9efbd2fe3f0383a62520cb27a04c988581a
-
SSDEEP
6144:RRLLNYTpkl9B1erzj1GY8/xA/iWHhblby8/1CaZSA/7bT0n/yX9:RstkJ1Qzj1GY8u/Nxlbyg1N/fTKyX9
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe -
Executes dropped EXE 1 IoCs
pid Process 1564 win.exe -
Loads dropped DLL 2 IoCs
pid Process 2860 54d1ea41db69c34d3704c96515d5b1e9.exe 2860 54d1ea41db69c34d3704c96515d5b1e9.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 54d1ea41db69c34d3704c96515d5b1e9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 54d1ea41db69c34d3704c96515d5b1e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum win.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 win.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\win.exe 54d1ea41db69c34d3704c96515d5b1e9.exe File opened for modification C:\Windows\SysWOW64\win.exe 54d1ea41db69c34d3704c96515d5b1e9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2052 set thread context of 2860 2052 54d1ea41db69c34d3704c96515d5b1e9.exe 28 -
Runs .reg file with regedit 1 IoCs
pid Process 1628 regedit.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2860 2052 54d1ea41db69c34d3704c96515d5b1e9.exe 28 PID 2052 wrote to memory of 2860 2052 54d1ea41db69c34d3704c96515d5b1e9.exe 28 PID 2052 wrote to memory of 2860 2052 54d1ea41db69c34d3704c96515d5b1e9.exe 28 PID 2052 wrote to memory of 2860 2052 54d1ea41db69c34d3704c96515d5b1e9.exe 28 PID 2052 wrote to memory of 2860 2052 54d1ea41db69c34d3704c96515d5b1e9.exe 28 PID 2052 wrote to memory of 2860 2052 54d1ea41db69c34d3704c96515d5b1e9.exe 28 PID 2052 wrote to memory of 2860 2052 54d1ea41db69c34d3704c96515d5b1e9.exe 28 PID 2052 wrote to memory of 2860 2052 54d1ea41db69c34d3704c96515d5b1e9.exe 28 PID 2860 wrote to memory of 2816 2860 54d1ea41db69c34d3704c96515d5b1e9.exe 29 PID 2860 wrote to memory of 2816 2860 54d1ea41db69c34d3704c96515d5b1e9.exe 29 PID 2860 wrote to memory of 2816 2860 54d1ea41db69c34d3704c96515d5b1e9.exe 29 PID 2860 wrote to memory of 2816 2860 54d1ea41db69c34d3704c96515d5b1e9.exe 29 PID 2860 wrote to memory of 1564 2860 54d1ea41db69c34d3704c96515d5b1e9.exe 30 PID 2860 wrote to memory of 1564 2860 54d1ea41db69c34d3704c96515d5b1e9.exe 30 PID 2860 wrote to memory of 1564 2860 54d1ea41db69c34d3704c96515d5b1e9.exe 30 PID 2860 wrote to memory of 1564 2860 54d1ea41db69c34d3704c96515d5b1e9.exe 30 PID 2816 wrote to memory of 1628 2816 cmd.exe 31 PID 2816 wrote to memory of 1628 2816 cmd.exe 31 PID 2816 wrote to memory of 1628 2816 cmd.exe 31 PID 2816 wrote to memory of 1628 2816 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\54d1ea41db69c34d3704c96515d5b1e9.exe"C:\Users\Admin\AppData\Local\Temp\54d1ea41db69c34d3704c96515d5b1e9.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\54d1ea41db69c34d3704c96515d5b1e9.exeC:\Users\Admin\AppData\Local\Temp\54d1ea41db69c34d3704c96515d5b1e9.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
PID:1628
-
-
-
C:\Windows\SysWOW64\win.exeC:\Windows\system32\win.exe 480 "C:\Users\Admin\AppData\Local\Temp\54d1ea41db69c34d3704c96515d5b1e9.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:1564
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5895301bce84d6fe707b5cfd50f1f9f97
SHA150a012f59655621768f624c4571654145663c042
SHA256b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4
SHA512a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904