Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
36s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 14:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
76129ba287ea51cabe3b3f621c8f71af.exe
Resource
win7-20231215-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
76129ba287ea51cabe3b3f621c8f71af.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
76129ba287ea51cabe3b3f621c8f71af.exe
-
Size
716KB
-
MD5
76129ba287ea51cabe3b3f621c8f71af
-
SHA1
e20aea452d879e07ae894faa80dbe8b5fa0e3c86
-
SHA256
e9e41dc3d159cc58a911a186708a114cd035d8e6467578382233ffc97873011f
-
SHA512
7f318cd302dcd132daf47278ca55ac1fceca9b0ea0706c4df6e76f6d9086c05a1fac409114c213fedec7b4159ee63b3cee2394638dcf243d7d9d169e8cfc436f
-
SSDEEP
12288:0Th5z8CoM7Bv0dKdHlS/cnX0Vi6l7wrJsoDibhe:0TAClMdoHlS/cnX0g69wrJ3Dmhe
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\superecYa1s2.sys 76129ba287ea51cabe3b3f621c8f71af.exe File created C:\Windows\SysWOW64\superecCI317.sys 76129ba287ea51cabe3b3f621c8f71af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8B092701-A522-11EE-8D93-6A53A263E8F2} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 480 Process not Found 480 Process not Found 480 Process not Found 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: 33 2688 76129ba287ea51cabe3b3f621c8f71af.exe Token: SeIncBasePriorityPrivilege 2688 76129ba287ea51cabe3b3f621c8f71af.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1740 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2688 76129ba287ea51cabe3b3f621c8f71af.exe 2688 76129ba287ea51cabe3b3f621c8f71af.exe 1740 iexplore.exe 1740 iexplore.exe 2760 IEXPLORE.EXE 2760 IEXPLORE.EXE 2760 IEXPLORE.EXE 2760 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2688 wrote to memory of 1740 2688 76129ba287ea51cabe3b3f621c8f71af.exe 28 PID 2688 wrote to memory of 1740 2688 76129ba287ea51cabe3b3f621c8f71af.exe 28 PID 2688 wrote to memory of 1740 2688 76129ba287ea51cabe3b3f621c8f71af.exe 28 PID 2688 wrote to memory of 1740 2688 76129ba287ea51cabe3b3f621c8f71af.exe 28 PID 1740 wrote to memory of 2760 1740 iexplore.exe 30 PID 1740 wrote to memory of 2760 1740 iexplore.exe 30 PID 1740 wrote to memory of 2760 1740 iexplore.exe 30 PID 1740 wrote to memory of 2760 1740 iexplore.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\76129ba287ea51cabe3b3f621c8f71af.exe"C:\Users\Admin\AppData\Local\Temp\76129ba287ea51cabe3b3f621c8f71af.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" www.9jyx.com2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2760
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5eea809fe0d876b7d89f348085629e60f
SHA1802da04ec0ccaa6c6eeea5a6f3a816ebcccb7ecd
SHA256c79c46087ee5ccc0302e1bf8c4ee5111fb40d9b367f51cd7973fd52d56d3954b
SHA5127dd62635c9cf873df9df706358a44f29ef3c6a0815cac34a1742bd4a5db1bd427d1396a50390e4b323c40d581cdcbe39acbd063721653e8a8b0c763c87cdc3e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5af25bddd36fc540367ed85303df953f8
SHA17ec7f04cca822a21725ba1fc3e1a9f63fa737872
SHA2567409f169bdae30b7dec9b8cb955653389db86627c19691a5175f4ea0116577e6
SHA51284e239e9fb3ac00a0f91afb92456b3425aa35ebf8d92ac8854b56e702777c892e0b85bb7962325f5c49fe4f0f78c429748c98505b104ac734f5b8aa92b7f6022
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59974a2d6ff40f44008da66ac5f17eb69
SHA1dcfe5e4cd3a0f4aef07a8de66d7fc1efd455f968
SHA256edcf468f1b508d4367662aed99e13bcbec3b49630a3e5c308dfccd49e0de66ad
SHA512975b725a66a7a482f07e42fe7a86682e8ca908b92456ef5b3d96ae5d67dd1810b2410b0b0f08c77b14868bcd0047b286c49d50cb78a33d13f167b5246caea38d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06