Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
211s -
max time network
234s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
29/12/2023, 22:08
General
-
Target
05372c03964f5518f75f4437ec3bc43e.exe
-
Size
24KB
-
MD5
05372c03964f5518f75f4437ec3bc43e
-
SHA1
125b39aeea6cf86b83b33749df1ed87a12ea87d8
-
SHA256
34ae2caccb715a14cf00fb02408129b6d41866840ef506e62c27bd74e3463a76
-
SHA512
96cb061a13099f996d9110337fd4643f58db009d0cff584a8368f1bcdff4299f6f0161583718f4320371db57be6aad44af8a395d8516be0fd67b2a38e247a938
-
SSDEEP
768:S6X7x2WJl0hDdwyTY/9fqaUoKWjdwD33e9XtvWsrAF:S6l2W/0hDCiwysKWj99/a
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
-
Sets file execution options in registry 2 TTPs 60 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 52 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05372c03964f5518f75f4437ec3bc43e.exe"C:\Users\Admin\AppData\Local\Temp\05372c03964f5518f75f4437ec3bc43e.exe"1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net stop McShield2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop McShield3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KWhatchsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop KWhatchsvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KWhatchsvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KPfwSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop KPfwSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KPfwSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "McAfee Framework ·þÎñ"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "McAfee Framework ·þÎñ"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Norton AntiVirus Server"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Norton AntiVirus Server"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Norton AntiVirus Server"4⤵
-
-
-
-
C:\Windows\SysWOW64\360safe.pifC:\Windows\system32\360safe.pif2⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f2⤵
-
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD59ecad0d53a6b0278c451167cf25f6249
SHA123ebb028051006b32b3add8e95c82f923afe1471
SHA25623e6557245f58b4639c91ecdb43d4647c02d614456381b9d712c48316453827d
SHA51281b98deae4ec18cfcdad80b49ce446b474ce0144ff50d287befb40dd0e163b355b8da8ac182281d849b7bc28d626d9619be502144fb8360e516b26a36837676e
-
Filesize
344B
MD5b1b81a2af3ec206e46251ff40d6e6efb
SHA171c1141bb081d9f58d54761f4fd844a3d17ba4fc
SHA256b56c55bd66893d405fb71df3c2a95b19c2bfb765a9d120687baa018638bc25cc
SHA5121c4ff263f72d3a255dfce2f321930035fe9630e74db756cef6566d3be8c67a8f5faaf0712a78716e460dae72def5ecdc4797c9ea81f68f2b3e4852894ee49d6d
-
Filesize
344B
MD5e40de6f636f853e725bb8cb54cc955de
SHA1db95a85534a65007da1245768d6f720edd811d98
SHA2564df6cc06d253d8f61410bce8e0a1193ea641482556f124c45bc8178b5baa9a61
SHA51280eb39ad111579fcfe9e7df4af6e8256f0973b9c0d1bbd24cc15dc352913946e901991117bd4fdd5753b0f21ba8b48b35da334c1f3b21b292020a32d82a6c627
-
Filesize
344B
MD540bd7cf9f4b4fdec6806bf708c778ad4
SHA105791b0c5da1bddf10487cc1509c7a307b4b2d3c
SHA25692da3402be50326f942809c248e1e4f043ec4440a888d999b7afe6e757375511
SHA512f1b8b1dff55701897b5322f48e9c5ced97fc5c099eb8ac6512510f0700cc572199587f4852012c2e98e0edea7f6924b233247823398d98abf1b3cc3969aafd47
-
Filesize
344B
MD5aa4cec4e959cfcd188fd26794438f315
SHA13de62f2ef95f1a8fb7d31cdafd2e2ca7bf61ffdf
SHA2568625bd346a4cd18c488fb225b13527aa9d682847c717afb58a6561cebfdb5865
SHA51203398089316ad54d282928ce0fe06aac6bbb7db4b8b3d88edc22a4f24288fa9e1188674b496b7e3f5408f238b54cc89cbc076983e5e668b7da68ed4ce791846d
-
Filesize
344B
MD59e57fc90ff46c8fb0b345cd66dff2c48
SHA1a5dce421d6897d5dcc4ab6388d59cb16f6bf2ee9
SHA256aa7332d07de0485c8319fa6f516c7997bf41db1e7180a8ab924b90b41b7af139
SHA512060dd843e9a9c9f2a32d1899b22c6bfcf5c587ec8439c4d46cdf54b9f1a6e549c2a61ff3f2b46fbda72d831f3461e2b918800593e7c495a6bc9c5d171121809e
-
Filesize
344B
MD566aab8978b44cc7907349d456fb128bb
SHA14ddb44945c9342040eb30d85fee3db34821129d2
SHA25601a8398d73a1cd766dfc73972828c048de7cd24949e3620334a0ebe6e201656b
SHA512ca0ce5dcdae0958ac5eeb60c619a3b3d5c4c179db760e1232f2dbb2912b8f6ab69689616eff036a0dfdebac065fc3fdcb2096677566a9b83e5026e0510ec9c62
-
Filesize
344B
MD568267d3165a4a7a9ebf8de9480469143
SHA1469955d22fcbe22d04538114260d7d31bed8b1e8
SHA2565b721c0d2b02b52b3fb966c971923504c7a08afcaa71f528fb56519878c33ac4
SHA51283ad795e638f263642c9de7f2e9bf54557a6c4b615c6c6d20704bae8c30d0ef753816776313f02203da0a7e4342339f71332134031a818858d80db61bdd502e8
-
Filesize
344B
MD589b9938fd9cb3cc90a7236c191e22318
SHA13d87d0d867559b5e3386914cfaec6ff99fac525b
SHA2560b975bdb51428403bbe0b5434622e4beae4f461b82e078e6637e4687ec5000b6
SHA512678ec89c1a1b8e9f0f46862b98fb648e108273aa9bc68c39b35d501907ee1ba356a93e0416ad2e94ace318563162d2a1c0577367ec1ca163bb7be2c8f48834db
-
Filesize
344B
MD5d9d594e69e7459bfe898e77f931c568c
SHA1d70092d1580db150943901e93bb2c3d8b62f3e78
SHA25603c0124fbbecb47f1dd2d9fd9aa824753390c4d889261f3abad61e2fb052b8f5
SHA5122f264244272d8277da7604c4de46c3749e3fa396d8f3417ba06e9d13db6796486002d54aaab9b36889bfbdfb9e67e79e981c2857cce8b8535853a98346decf1d
-
Filesize
344B
MD5ee4892825250ab339b2ca924e4ab5211
SHA10700b368dd0aec6b7adc5be003d3073ee3169edf
SHA256c59b11529b7023c9bd4f20936701e00317966205ad84bc2b9f209aed6b7b8798
SHA512bdeb55e306e7ddc6c1dd574c24331b1e3679ac0582f8ff0af916d35ecbf2b03e9d9e5bb31e075fa02b45565eb464144c718a4129227c57572a9e2ba0baf602a8
-
Filesize
344B
MD5d7e14b467fbe7519d486f99c56f5f2d3
SHA11046b00cb15fc00d6ccf12fa99c149f6dbb12e23
SHA2563746ef4557a06fd74266bd3b483965e01c4202cdce9d52b4be5a117dc149a363
SHA5123cf906e71683a94ae1d4e25cca54338e60fc86f67bf3f9bcfeffcb61ac42f5da73e7809775b38a1c45bf4a23f8bcf5c204c36904ec1e9d4e3240bc3b8ee1ad84
-
Filesize
344B
MD5adca294d16aff428a4d594099bc54b8b
SHA12738ff6b6956c13d8d52fe14f877c7950f65ec0d
SHA2560618506809c2385a4b4d415bee365ffbada64010a7307a5325af7abf85369af6
SHA512b25be1b48e0f6f1ddcc080a19644dccb6538cccfee62e30e77f59bb7a513736a30784fb5aaa65e37c3d44a3ad6cfe1a6ac4375f0de74db99f1f7b901fcecb182
-
Filesize
344B
MD5a54d829c256004c36f856283b496f90e
SHA1a47a71e8ca0a75cdc7830cfde9170a00d6d8ca21
SHA25682eb1f02813a085ac00dfe76238a4cfebf0bc744a12995395f9477ad04620f37
SHA512f100ca20644c7fc0163150963b9390ca6589b98363903475b2e1825de58908ba39bc870b19416c0dd8fe63b0729eebbce6299e57fc286ea7c2488dabd0c417d8
-
Filesize
344B
MD5a0af0b718737ff2ad9dfdb61bbeac1e0
SHA11b0392e9075f48128033cf913dd057a3b4984cad
SHA256265cda2e4418536d88a5cd6694dd76ea293f517934442ba975d34e3199f58714
SHA5127d3775ac7d1c0cc5a6866a9054a8c335e59adf48920fe67b6a6464a9a1ad0182cf54009fd03bcbaf07d42106cc02c269c6e6170afdfebc1c83dc3bf157aa2a5d
-
Filesize
344B
MD57107daf24463c9688970e3af481b68b9
SHA15eebbfd9d0910d83d5322432320003cdb0f58ff3
SHA2561b7a660f81349208790eccdef0340b04ba2f7793673fb5bc95d386eb586361cf
SHA5128722286966fc027a4aa8f4019e4471e2c48569db6314f77b1aa848a487ff63037df6a9fa18c65ddab103c33efe9febb4d19dd828a913abd9c46af2e368250f60
-
Filesize
344B
MD5886f0ac833e8bb0140b252fffe7b9179
SHA18a0e5f6f3d19525c7875153af6979fefbe8845ba
SHA256af67f0901348b87974304d229cd49ccab3f70bbcf71df52ace7e9a9d3494aac0
SHA512857e98037f0645b8060cefee6db6c6820972324ad9d03be188a15a4f1f5340a67882f8c599e20b5bc04cfbbc6ff62d196722764433e0321dfcaa7f35ca772205
-
Filesize
344B
MD5d744fcfca23dabc956d31421d3262350
SHA17f01a866f003918e5ea4b32d55ffff9d54302354
SHA256e6540037ebe0a7b6a385f81893299cf2984d72372460a41bd251c5feffa17a72
SHA512a2319f6d55bee99e86befc8f385555e1266670f57c9726c3faa89ed0e8f0e909e122da01841a18d865bda208adcc115fa82b97d86342ddd7e363f54e1e4ccd30
-
Filesize
344B
MD5f0c5b46058e3538da5af9e6dfe9406ff
SHA1dece2f0ecedf2d569d77d134630149380c0c36be
SHA256d0f103f7791a860fcbe0cbeb174790a31cf54c94c5ac63527b748668e40c7994
SHA512d7acfaa381733a036ff7ee80b80a94abcf88f5ba2ebe4100d03fcb168d85a4d24df0bd85d3264eabcdd2ac9f7a3e3aedaf6092020e705da5fa626a958af85753
-
Filesize
344B
MD5da8a14d752a4d6b605521fb11ad49303
SHA1f7468d99a4b15af3c1b259a2d2d6debc0c020415
SHA256ae8e09bbc645f00f3f7d27ae91c88ef77954659fac65c085dd9631a550750e3c
SHA51223739f53fab9eab6d6c75bb8fffb04e803413bbeafbc35dd8e3444b06e24a48674d609982af0a94b4dff46814fcfe6051b7c62275f78a77f4b6a5cf8d16b2792
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
4KB
MD521030b4622c2d5fa072346e408c71918
SHA19687c92d5afb5a342a9afa8e34a451d8724c84bc
SHA2560a115ea56b1eaa9c9f26302027dcc6f788156eae9f346fc6fe74dd877193f701
SHA512915150eff3679d7cc2d7915de1bf91396b9db30716ac796b89f7d49484383a5ab1cdd815faec5b1004d438126e7f1560737b7b9f8c35efb5b3d8abf9304deda4
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
256KB
-
Filesize
256KB