Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 21:32
Static task
static1
Behavioral task
behavioral1
Sample
0480e4cfa319fada861bad6fdcae6475.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0480e4cfa319fada861bad6fdcae6475.exe
Resource
win10v2004-20231215-en
General
-
Target
0480e4cfa319fada861bad6fdcae6475.exe
-
Size
116KB
-
MD5
0480e4cfa319fada861bad6fdcae6475
-
SHA1
0f7d5ab1f91894d04acfedb15ba387e9ed34da08
-
SHA256
98ba0eace481b0462e7e306f87b151a9445f6e71f676a97a9bdab77d643bc1fd
-
SHA512
7056d7945a7e606a9df1220b9720ee9e5484f18c26be364d64c76398979625862471447d7ecd4256c948b7f9e3298e14b28290f6e8fcbbb5817691276c7829c6
-
SSDEEP
3072:Afcl+7jQq3piXYkXzwwj2vvO9fCvou/tGWZfVwMS:l/kuwlvW9JCfn
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2396 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2884 helloserv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\helloserv = "C:\\Windows\\helloserv.exe" 0480e4cfa319fada861bad6fdcae6475.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\7-Zip\ helloserv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\helloserv.exe 0480e4cfa319fada861bad6fdcae6475.exe File opened for modification C:\Windows\helloserv.exe 0480e4cfa319fada861bad6fdcae6475.exe File created C:\Windows\helloserv.config helloserv.exe File opened for modification C:\Windows\helloserv.config helloserv.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 748 0480e4cfa319fada861bad6fdcae6475.exe 2884 helloserv.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 748 wrote to memory of 2884 748 0480e4cfa319fada861bad6fdcae6475.exe 28 PID 748 wrote to memory of 2884 748 0480e4cfa319fada861bad6fdcae6475.exe 28 PID 748 wrote to memory of 2884 748 0480e4cfa319fada861bad6fdcae6475.exe 28 PID 748 wrote to memory of 2884 748 0480e4cfa319fada861bad6fdcae6475.exe 28 PID 2884 wrote to memory of 2396 2884 helloserv.exe 29 PID 2884 wrote to memory of 2396 2884 helloserv.exe 29 PID 2884 wrote to memory of 2396 2884 helloserv.exe 29 PID 2884 wrote to memory of 2396 2884 helloserv.exe 29 PID 2884 wrote to memory of 2296 2884 helloserv.exe 30 PID 2884 wrote to memory of 2296 2884 helloserv.exe 30 PID 2884 wrote to memory of 2296 2884 helloserv.exe 30 PID 2884 wrote to memory of 2296 2884 helloserv.exe 30 PID 2884 wrote to memory of 2704 2884 helloserv.exe 32 PID 2884 wrote to memory of 2704 2884 helloserv.exe 32 PID 2884 wrote to memory of 2704 2884 helloserv.exe 32 PID 2884 wrote to memory of 2704 2884 helloserv.exe 32 PID 2704 wrote to memory of 2584 2704 w32tm.exe 36 PID 2704 wrote to memory of 2584 2704 w32tm.exe 36 PID 2704 wrote to memory of 2584 2704 w32tm.exe 36 PID 2704 wrote to memory of 2584 2704 w32tm.exe 36 PID 2296 wrote to memory of 2844 2296 w32tm.exe 35 PID 2296 wrote to memory of 2844 2296 w32tm.exe 35 PID 2296 wrote to memory of 2844 2296 w32tm.exe 35 PID 2296 wrote to memory of 2844 2296 w32tm.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\0480e4cfa319fada861bad6fdcae6475.exe"C:\Users\Admin\AppData\Local\Temp\0480e4cfa319fada861bad6fdcae6475.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\helloserv.exe"C:\Windows\helloserv.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set allowedprogram "C:\Windows\helloserv.exe" enable3⤵
- Modifies Windows Firewall
PID:2396
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov3⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\w32tm.exew32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov4⤵PID:2844
-
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /config /update3⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\system32\w32tm.exew32tm /config /update4⤵PID:2584
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD538d59937bbd46b23c247a402f75049a2
SHA1a69a9418b8e50f7978f0915bffe22f1fcb53d405
SHA2563fadb9c588d88e23f51bd735ad9a3af35e54557cdc973d2875cf875971a1bcad
SHA51240642a8de875bc98e225e6da94a114199100430dc74a5f8425e21d1364c60fefc59c3f165a1f7502190bdbc1389626353bc1b3801ae897232a4cdcb5a7280802
-
Filesize
47KB
MD5b90c69ff65de2b3224b15d3893924349
SHA1ed9a11da19bf6cd752b51591964c33332851c33e
SHA256d63f3d495e8e0763fb7e4f8d9a7b8560df2d1a13d9704bf4049fb80db619bf04
SHA5128a27e63dfa2308c66259a2df129fbb7d1fcaa6be521bfe5b7b91753f2caea47e96cecd10f2e8f26efbcfaa5f807aafb458f7115d318d7d44381eacb334521f22
-
Filesize
3KB
MD5d9d7d818d527898b34adafccd5c3e3f6
SHA15b9a284df4f2174b3e624ab4d6bcea211759600d
SHA256e0f3f1fe46d34a16ac8a9a59b53c46384987c295b7cb47ab2ab04e69da10fca8
SHA5126abe77a44b46ca267b8c8307eb7d56e3d1fee536a763ebb450c8f18800021d0db80a68feb89bf77d0f22fb542f064450d52fea7fbcf7dd9a166e44dbc38a05b1
-
Filesize
116KB
MD50480e4cfa319fada861bad6fdcae6475
SHA10f7d5ab1f91894d04acfedb15ba387e9ed34da08
SHA25698ba0eace481b0462e7e306f87b151a9445f6e71f676a97a9bdab77d643bc1fd
SHA5127056d7945a7e606a9df1220b9720ee9e5484f18c26be364d64c76398979625862471447d7ecd4256c948b7f9e3298e14b28290f6e8fcbbb5817691276c7829c6