Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
26/12/2023, 12:17
General
-
Target
6dde0ef221978abe0a4dc088dc5dde52.exe
-
Size
53KB
-
MD5
6dde0ef221978abe0a4dc088dc5dde52
-
SHA1
cdbe09c9922f34c1f77d29abdf2e83c7704afef7
-
SHA256
f00e4480a92e46fa7a38dcd06c03ba54ddbe61b0edbe5ac303c0eed6453b0f41
-
SHA512
3e17623cb8efbf312f0e480136a27aeefb7d6e87f66c91269296a0b9a38c1f4e06e7019d87570f732524fb7961c8c29e374fc1ee6e404e67ceaf18dcfb3664e4
-
SSDEEP
1536:Yk8s7JfjsCwzvEymEWc94qxdRHdno858c5Fgs0:YkTJfjsCw7FWujxDdnE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 8 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Discovers systems in the same network 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dde0ef221978abe0a4dc088dc5dde52.exe"C:\Users\Admin\AppData\Local\Temp\6dde0ef221978abe0a4dc088dc5dde52.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\s4827\smss.exe"C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~2⤵
-
-
C:\Windows\SysWOW64\s4827\winlogon.exe"C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~1⤵
-
C:\Windows\SysWOW64\s4827\services.exe"C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~2⤵
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" /delete /y2⤵
-
-
C:\Windows\SysWOW64\s4827\m4623.exe"C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~2⤵
-
-
C:\Windows\Ad10218\qm4623.exe"C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~2⤵
-
-
C:\Windows\SysWOW64\s4827\lsass.exe"C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\system32\s4827\brdom.bat" "3⤵
-
C:\Windows\SysWOW64\net.exenet view /domain:WORKGROUP4⤵
- Discovers systems in the same network
-
-
-
-
C:\Windows\SysWOW64\s4827\csrss.exe"C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~2⤵
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"2⤵
-
-
C:\Windows\SysWOW64\at.exe"C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"2⤵
-
-
C:\Windows\SysWOW64\net.exenet view /domain1⤵
- Discovers systems in the same network
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD56dde0ef221978abe0a4dc088dc5dde52
SHA1cdbe09c9922f34c1f77d29abdf2e83c7704afef7
SHA256f00e4480a92e46fa7a38dcd06c03ba54ddbe61b0edbe5ac303c0eed6453b0f41
SHA5123e17623cb8efbf312f0e480136a27aeefb7d6e87f66c91269296a0b9a38c1f4e06e7019d87570f732524fb7961c8c29e374fc1ee6e404e67ceaf18dcfb3664e4
-
Filesize
128KB
-
Filesize
132KB
-
Filesize
128KB
-
Filesize
132KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
128KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
132KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
56KB
-
Filesize
128KB
-
Filesize
56KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB