Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 08:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60d9309a653f3898838630f35fc52e6d.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
60d9309a653f3898838630f35fc52e6d.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
60d9309a653f3898838630f35fc52e6d.exe
-
Size
204KB
-
MD5
60d9309a653f3898838630f35fc52e6d
-
SHA1
6a88c26a832e404ef907ddd1efeea2d02bd30415
-
SHA256
30a62683bcea037a05153c663bb441ea78110d17a419f4b99b5ce5b437157852
-
SHA512
8b65376e48167aa7ac6209011611e4aaca6192d70059158640f2e5209546772d8d0f20bc1dc1ea81e3cb2875d3d77469efbdd5efad06cae65459f0614bf18596
-
SSDEEP
1536:cz+OokHo1vzxHwxS8l2xNy3tQ9CW5EZWHakMwP9W6uXNh9h1AWa11GBPIdRONd+5:oHo14M0tQ9nLHbB9WTk9+JgqmltN7
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" duereeg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 60d9309a653f3898838630f35fc52e6d.exe -
Executes dropped EXE 1 IoCs
pid Process 2800 duereeg.exe -
Loads dropped DLL 2 IoCs
pid Process 2228 60d9309a653f3898838630f35fc52e6d.exe 2228 60d9309a653f3898838630f35fc52e6d.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /m" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /v" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /b" 60d9309a653f3898838630f35fc52e6d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /o" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /r" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /k" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /a" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /e" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /b" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /h" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /p" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /s" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /t" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /c" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /d" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /g" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /l" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /j" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /x" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /z" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /q" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /w" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /y" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /i" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /u" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /n" duereeg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\duereeg = "C:\\Users\\Admin\\duereeg.exe /f" duereeg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 60d9309a653f3898838630f35fc52e6d.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe 2800 duereeg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2228 60d9309a653f3898838630f35fc52e6d.exe 2800 duereeg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2800 2228 60d9309a653f3898838630f35fc52e6d.exe 28 PID 2228 wrote to memory of 2800 2228 60d9309a653f3898838630f35fc52e6d.exe 28 PID 2228 wrote to memory of 2800 2228 60d9309a653f3898838630f35fc52e6d.exe 28 PID 2228 wrote to memory of 2800 2228 60d9309a653f3898838630f35fc52e6d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\60d9309a653f3898838630f35fc52e6d.exe"C:\Users\Admin\AppData\Local\Temp\60d9309a653f3898838630f35fc52e6d.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\duereeg.exe"C:\Users\Admin\duereeg.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD50ab98fd8a1db1b960d40d4db293bd58e
SHA12c0ffbb313e116974a0a027a026255096932f8a7
SHA2564f6e1ab497092f9b71fd51242ca3e31583f0ab36849e422343058663f1c41d73
SHA5127aefd3106bb5aadf88379064dba1290b30364e61732da69776b7ad2d39362c2fddc65bc50b7af997b3f672fc05a729355afd377ad6e704b0e69c03d91b66d185
-
Filesize
92KB
MD521cffd74d3707d27fbdc725a193fe834
SHA1d3bee5ef34e309351293b62b62246e0e94787efd
SHA25608bc91d23f33347195beba141302eca9b9b076af68b7023d17698c33b752bc8b
SHA512fee8ea3d02866c8cf5e119cd69d26f5413a8bebf6998d8de5aacc5c1a63b3a684513b8e5b28e5c558046c6f232df0cce40fa536f5fd9564e186ed2e1b127ca3f