Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 14:40
Behavioral task
behavioral1
Sample
764ca431f151e7ccbd3ac45edc55d301.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
764ca431f151e7ccbd3ac45edc55d301.exe
Resource
win10v2004-20231215-en
General
-
Target
764ca431f151e7ccbd3ac45edc55d301.exe
-
Size
22KB
-
MD5
764ca431f151e7ccbd3ac45edc55d301
-
SHA1
4205cf84ce706c67328b3c3595f7d0c972fe53b1
-
SHA256
c25ff38a472074dce31afd1c4bb0664b478850cf56a893213b7617544a29a16b
-
SHA512
eb8be6bdecc7928e7e4f01a51e2ac670da46fa41e6f4fc86da7777c190bc581e29b98310e804e40c4c45d860569ddefd168ef7aaeef97b80f85d2d2f9a8a37f8
-
SSDEEP
384:OrBsV6vQJ5Xp+VP1ZL39jKOtJ/GI+4fcX+FlmySrsYENRlSd5X:GBNoJ5XcZ1939uOtJeBwmyisYElS3
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0009000000016a29-4.dat acprotect -
Deletes itself 1 IoCs
pid Process 3032 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2224 764ca431f151e7ccbd3ac45edc55d301.exe -
resource yara_rule behavioral1/memory/2224-0-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2224-6-0x0000000010000000-0x0000000010010000-memory.dmp upx behavioral1/files/0x0009000000016a29-4.dat upx behavioral1/memory/2224-8-0x0000000010000000-0x0000000010010000-memory.dmp upx behavioral1/memory/2224-7-0x0000000000400000-0x0000000000409000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\122B901E.dll 764ca431f151e7ccbd3ac45edc55d301.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\cFDPmh3MDPjcHMPd.ttf 764ca431f151e7ccbd3ac45edc55d301.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC} 764ca431f151e7ccbd3ac45edc55d301.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}\InprocServer32 764ca431f151e7ccbd3ac45edc55d301.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\122B901E.dll" 764ca431f151e7ccbd3ac45edc55d301.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}\InprocServer32\ThreadingModel = "Apartment" 764ca431f151e7ccbd3ac45edc55d301.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}\InprocServer32 764ca431f151e7ccbd3ac45edc55d301.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 764ca431f151e7ccbd3ac45edc55d301.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID 764ca431f151e7ccbd3ac45edc55d301.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2224 764ca431f151e7ccbd3ac45edc55d301.exe 2224 764ca431f151e7ccbd3ac45edc55d301.exe 2224 764ca431f151e7ccbd3ac45edc55d301.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe Token: SeDebugPrivilege 2224 764ca431f151e7ccbd3ac45edc55d301.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2224 764ca431f151e7ccbd3ac45edc55d301.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2224 wrote to memory of 3032 2224 764ca431f151e7ccbd3ac45edc55d301.exe 29 PID 2224 wrote to memory of 3032 2224 764ca431f151e7ccbd3ac45edc55d301.exe 29 PID 2224 wrote to memory of 3032 2224 764ca431f151e7ccbd3ac45edc55d301.exe 29 PID 2224 wrote to memory of 3032 2224 764ca431f151e7ccbd3ac45edc55d301.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\764ca431f151e7ccbd3ac45edc55d301.exe"C:\Users\Admin\AppData\Local\Temp\764ca431f151e7ccbd3ac45edc55d301.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\764CA4~1.EXE >> NUL2⤵
- Deletes itself
PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD510f11aa05d51d4518346fd89d98f19eb
SHA18d979e85d93ad1a59d819cb2666b3e6d9947bc3f
SHA25638c322ff34499f3121024be2c3beb433792f78770102a12dbcf59b5b97ec3348
SHA512f67c92b6bb4cffa040f7b7575613cdbce8b58ed090221a5ac0f1f2a8bc00d9ba071c423bfcad475f1f6bd9a910d2a9cc76fc0091340d1e05b18b350cf43d3879