Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 09:34
Behavioral task
behavioral1
Sample
6434eaf1e3f70480bc40f1216bc4641f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6434eaf1e3f70480bc40f1216bc4641f.exe
Resource
win10v2004-20231222-en
General
-
Target
6434eaf1e3f70480bc40f1216bc4641f.exe
-
Size
38KB
-
MD5
6434eaf1e3f70480bc40f1216bc4641f
-
SHA1
bb7f3d02034b1267724983518cd831d2d4518c1a
-
SHA256
85231a8f5e9c681d7d5e6cdcc19da450eab541ba0c981f3d15322e8abfbb93e7
-
SHA512
ea6fdeeaac48418b3af99bde17ae77ac4b4e892a2665d997de4453b80df574bea3440d174b02c62c7c8e47c6bbfcdc39e2cd980b6134f1de81f204a690013496
-
SSDEEP
768:T7WXtbVrCBN29+eiYc3OZ6CV2ZVO8GEDcinf:T7WXtb1Cv+YYc3c65ZVOpUnf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1052 .exe -
Loads dropped DLL 2 IoCs
pid Process 2236 6434eaf1e3f70480bc40f1216bc4641f.exe 2236 6434eaf1e3f70480bc40f1216bc4641f.exe -
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1052-12-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/files/0x000c000000012243-10.dat upx behavioral1/memory/2236-20-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf 6434eaf1e3f70480bc40f1216bc4641f.exe File created F:\autorun.inf 6434eaf1e3f70480bc40f1216bc4641f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 32 IoCs
description ioc Process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2236 6434eaf1e3f70480bc40f1216bc4641f.exe Token: SeShutdownPrivilege 2236 6434eaf1e3f70480bc40f1216bc4641f.exe Token: SeShutdownPrivilege 2236 6434eaf1e3f70480bc40f1216bc4641f.exe Token: SeDebugPrivilege 2236 6434eaf1e3f70480bc40f1216bc4641f.exe Token: SeDebugPrivilege 1052 .exe Token: SeShutdownPrivilege 608 LogonUI.exe Token: SeShutdownPrivilege 608 LogonUI.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1052 2236 6434eaf1e3f70480bc40f1216bc4641f.exe 28 PID 2236 wrote to memory of 1052 2236 6434eaf1e3f70480bc40f1216bc4641f.exe 28 PID 2236 wrote to memory of 1052 2236 6434eaf1e3f70480bc40f1216bc4641f.exe 28 PID 2236 wrote to memory of 1052 2236 6434eaf1e3f70480bc40f1216bc4641f.exe 28 PID 2236 wrote to memory of 2092 2236 6434eaf1e3f70480bc40f1216bc4641f.exe 30 PID 2236 wrote to memory of 2092 2236 6434eaf1e3f70480bc40f1216bc4641f.exe 30 PID 2236 wrote to memory of 2092 2236 6434eaf1e3f70480bc40f1216bc4641f.exe 30 PID 2236 wrote to memory of 2092 2236 6434eaf1e3f70480bc40f1216bc4641f.exe 30 PID 2092 wrote to memory of 2436 2092 net.exe 32 PID 2092 wrote to memory of 2436 2092 net.exe 32 PID 2092 wrote to memory of 2436 2092 net.exe 32 PID 2092 wrote to memory of 2436 2092 net.exe 32 PID 1720 wrote to memory of 608 1720 csrss.exe 36 PID 1720 wrote to memory of 608 1720 csrss.exe 36 PID 2544 wrote to memory of 608 2544 winlogon.exe 36 PID 2544 wrote to memory of 608 2544 winlogon.exe 36 PID 2544 wrote to memory of 608 2544 winlogon.exe 36 PID 1720 wrote to memory of 608 1720 csrss.exe 36 PID 1720 wrote to memory of 608 1720 csrss.exe 36 PID 1720 wrote to memory of 608 1720 csrss.exe 36 PID 1720 wrote to memory of 608 1720 csrss.exe 36 PID 1720 wrote to memory of 608 1720 csrss.exe 36 PID 1720 wrote to memory of 608 1720 csrss.exe 36 PID 1720 wrote to memory of 608 1720 csrss.exe 36 PID 1720 wrote to memory of 608 1720 csrss.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\6434eaf1e3f70480bc40f1216bc4641f.exe"C:\Users\Admin\AppData\Local\Temp\6434eaf1e3f70480bc40f1216bc4641f.exe"1⤵
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\.exeC:\Users\Admin\AppData\Local\Temp\.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" user Admin2⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin3⤵PID:2436
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2044
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1720
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Suspicious use of AdjustPrivilegeToken
PID:608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5b84f4d30d66b22bbfe3c86ee3bfcda7b
SHA1dcc9edbe553b4c15e55df8a7ee7d4403e962d2ff
SHA256b3e108bd65af42b1ac999c34420e015c8521cc263b39b829982b21eefb816e2f
SHA51237016c1f9fe9e2409c9516ba86d843fb1980136e30091342094cbcb9f2acf3c8b8239ee5dd15b493f38d32f454b64920a852b852b964821f9e1e95c8dcbaaa69