Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 04:00
Static task
static1
Behavioral task
behavioral1
Sample
52722ef3b61a589bfd5c1cb656326f28.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
52722ef3b61a589bfd5c1cb656326f28.exe
Resource
win10v2004-20231215-en
General
-
Target
52722ef3b61a589bfd5c1cb656326f28.exe
-
Size
296KB
-
MD5
52722ef3b61a589bfd5c1cb656326f28
-
SHA1
726b4fce9cb2ac3ed182a10087a6609e36e1573a
-
SHA256
6dd6637c3d4f23f97317d7ebb0aba37d6ebaa211e34b0dd35af2350328c8d34f
-
SHA512
e3f6b9d1f63ad73c91e5243ce89be5e0dbd2a5a9431942beb0866073b0c290dfb0f402c13964db0427744b64e9ca49dd1c9901e7e09f54da1117357c7602fb6a
-
SSDEEP
6144:IzMlxFRBhqb7IT4pO6JK/fObT/bGiWtBcMf1YUQiCgfAJDq2ijxLzOwkz:WcxFRQ7IT4pO6JK/fObT/bGiWt/YUQi4
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 52722ef3b61a589bfd5c1cb656326f28.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" voual.exe -
Executes dropped EXE 1 IoCs
pid Process 2528 voual.exe -
Loads dropped DLL 2 IoCs
pid Process 1644 52722ef3b61a589bfd5c1cb656326f28.exe 1644 52722ef3b61a589bfd5c1cb656326f28.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /C" 52722ef3b61a589bfd5c1cb656326f28.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /M" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /S" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /y" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /w" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /t" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /F" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /e" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /j" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /B" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /c" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /V" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /O" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /T" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /i" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /C" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /l" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /A" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /k" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /b" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /L" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /z" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /d" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /U" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /X" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /x" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /N" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /W" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /J" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /Q" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /H" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /a" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /m" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /G" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /P" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /s" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /Y" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /K" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /v" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /r" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /D" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /p" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /o" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /E" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /g" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /I" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /Z" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /h" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /R" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /u" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /f" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /q" voual.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\voual = "C:\\Users\\Admin\\voual.exe /n" voual.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1644 52722ef3b61a589bfd5c1cb656326f28.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe 2528 voual.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1644 52722ef3b61a589bfd5c1cb656326f28.exe 2528 voual.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2528 1644 52722ef3b61a589bfd5c1cb656326f28.exe 28 PID 1644 wrote to memory of 2528 1644 52722ef3b61a589bfd5c1cb656326f28.exe 28 PID 1644 wrote to memory of 2528 1644 52722ef3b61a589bfd5c1cb656326f28.exe 28 PID 1644 wrote to memory of 2528 1644 52722ef3b61a589bfd5c1cb656326f28.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\52722ef3b61a589bfd5c1cb656326f28.exe"C:\Users\Admin\AppData\Local\Temp\52722ef3b61a589bfd5c1cb656326f28.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\voual.exe"C:\Users\Admin\voual.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD55e7c28d2e39e1235cfbe381d13ab547f
SHA1a72f6a96e0e57dac0bd9ee4274751e22f3f3297d
SHA256c479421b25048770361219c00f9a95db3ff2fafcc80b31c213ea92722d2d2ef3
SHA512e0539a176f2c0259d37f9c32da9d17fc321fe05f43b18b6b04db08531c2429fae35821c4c93b3a316961650f58a126eca49701c4d22da8f9fd3484cac66a7545