Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 23:07
Static task
static1
Behavioral task
behavioral1
Sample
067ba288422ed06e7bbfe92d7bceb129.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
067ba288422ed06e7bbfe92d7bceb129.exe
Resource
win10v2004-20231215-en
General
-
Target
067ba288422ed06e7bbfe92d7bceb129.exe
-
Size
427KB
-
MD5
067ba288422ed06e7bbfe92d7bceb129
-
SHA1
711669a6c3bb5e2daac6ea996aaba6ea26d91210
-
SHA256
9e96468ff41f5fcb81f7a5f39d86ab8162d35262f480a2c248cb2e31e87dfeef
-
SHA512
d3533d842d9dbf16ca8c1d67f8711c7edf4e24411bb61cfb5db269208f5caa78a9cf0b6a3da0607163be1503fa7ddc73a48295ad75064582d515a74f9018b5fb
-
SSDEEP
12288:oVpY1/9nodor6yO4vJ958ShthAT6GlUQLt66:oS/9ncx47DohlUQQ6
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
pid Process 2604 wins.exe 2664 wins.exe 2252 wins.exe 2672 wins.exe 876 wins.exe 2736 wins.exe 2984 wins.exe 1212 wins.exe 580 wins.exe 2072 wins.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine 067ba288422ed06e7bbfe92d7bceb129.exe Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine wins.exe Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine wins.exe Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine wins.exe Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine wins.exe Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine wins.exe Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine wins.exe Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine wins.exe Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine wins.exe Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine wins.exe Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine wins.exe -
Loads dropped DLL 20 IoCs
pid Process 3016 067ba288422ed06e7bbfe92d7bceb129.exe 3016 067ba288422ed06e7bbfe92d7bceb129.exe 2604 wins.exe 2604 wins.exe 2664 wins.exe 2664 wins.exe 2252 wins.exe 2252 wins.exe 2672 wins.exe 2672 wins.exe 876 wins.exe 876 wins.exe 2736 wins.exe 2736 wins.exe 2984 wins.exe 2984 wins.exe 1212 wins.exe 1212 wins.exe 580 wins.exe 580 wins.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe 067ba288422ed06e7bbfe92d7bceb129.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe 067ba288422ed06e7bbfe92d7bceb129.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File created C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe File opened for modification C:\Windows\SysWOW64\wins.exe wins.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2604 3016 067ba288422ed06e7bbfe92d7bceb129.exe 28 PID 3016 wrote to memory of 2604 3016 067ba288422ed06e7bbfe92d7bceb129.exe 28 PID 3016 wrote to memory of 2604 3016 067ba288422ed06e7bbfe92d7bceb129.exe 28 PID 3016 wrote to memory of 2604 3016 067ba288422ed06e7bbfe92d7bceb129.exe 28 PID 2604 wrote to memory of 2664 2604 wins.exe 29 PID 2604 wrote to memory of 2664 2604 wins.exe 29 PID 2604 wrote to memory of 2664 2604 wins.exe 29 PID 2604 wrote to memory of 2664 2604 wins.exe 29 PID 2664 wrote to memory of 2252 2664 wins.exe 30 PID 2664 wrote to memory of 2252 2664 wins.exe 30 PID 2664 wrote to memory of 2252 2664 wins.exe 30 PID 2664 wrote to memory of 2252 2664 wins.exe 30 PID 2252 wrote to memory of 2672 2252 wins.exe 31 PID 2252 wrote to memory of 2672 2252 wins.exe 31 PID 2252 wrote to memory of 2672 2252 wins.exe 31 PID 2252 wrote to memory of 2672 2252 wins.exe 31 PID 2672 wrote to memory of 876 2672 wins.exe 34 PID 2672 wrote to memory of 876 2672 wins.exe 34 PID 2672 wrote to memory of 876 2672 wins.exe 34 PID 2672 wrote to memory of 876 2672 wins.exe 34 PID 876 wrote to memory of 2736 876 wins.exe 35 PID 876 wrote to memory of 2736 876 wins.exe 35 PID 876 wrote to memory of 2736 876 wins.exe 35 PID 876 wrote to memory of 2736 876 wins.exe 35 PID 2736 wrote to memory of 2984 2736 wins.exe 36 PID 2736 wrote to memory of 2984 2736 wins.exe 36 PID 2736 wrote to memory of 2984 2736 wins.exe 36 PID 2736 wrote to memory of 2984 2736 wins.exe 36 PID 2984 wrote to memory of 1212 2984 wins.exe 37 PID 2984 wrote to memory of 1212 2984 wins.exe 37 PID 2984 wrote to memory of 1212 2984 wins.exe 37 PID 2984 wrote to memory of 1212 2984 wins.exe 37 PID 1212 wrote to memory of 580 1212 wins.exe 38 PID 1212 wrote to memory of 580 1212 wins.exe 38 PID 1212 wrote to memory of 580 1212 wins.exe 38 PID 1212 wrote to memory of 580 1212 wins.exe 38 PID 580 wrote to memory of 2072 580 wins.exe 39 PID 580 wrote to memory of 2072 580 wins.exe 39 PID 580 wrote to memory of 2072 580 wins.exe 39 PID 580 wrote to memory of 2072 580 wins.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\067ba288422ed06e7bbfe92d7bceb129.exe"C:\Users\Admin\AppData\Local\Temp\067ba288422ed06e7bbfe92d7bceb129.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 652 "C:\Users\Admin\AppData\Local\Temp\067ba288422ed06e7bbfe92d7bceb129.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 696 "C:\Windows\SysWOW64\wins.exe"3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 692 "C:\Windows\SysWOW64\wins.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 704 "C:\Windows\SysWOW64\wins.exe"5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 700 "C:\Windows\SysWOW64\wins.exe"6⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 688 "C:\Windows\SysWOW64\wins.exe"7⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 708 "C:\Windows\SysWOW64\wins.exe"8⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 712 "C:\Windows\SysWOW64\wins.exe"9⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 716 "C:\Windows\SysWOW64\wins.exe"10⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\wins.exeC:\Windows\system32\wins.exe 724 "C:\Windows\SysWOW64\wins.exe"11⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Drops file in System32 directory
PID:2072
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD54a4ef513e3f59157811e8a2334354bf5
SHA130e926d8981ca11715cad32622908721f77e25ad
SHA256cd7ab81d715f2f0b13ff9e0b9bf2af95e4c3e6f4edd7025401d83f99b936f7f6
SHA51265f3cbb0c8c965ffdb0a678c37ddb72e2871e565d85580e798d24b1ec5d0820735d8f254e69ab3166757e4c1c644d0195f4d99c4aa91385a29fac0147da79691
-
Filesize
318KB
MD563b5451c174a54d9cf6d7bb5a90882b0
SHA1a04e7e8a5280e94bb7989d6cf703541e1f0cec69
SHA25644f5c8e19a2b51ec234c0964c15da9312d7af3f1618e527e41ace8cf059c7723
SHA512ca2d7aaa62de14615ba25a84e8bf340aac59ecb1d52072766a5b817c1c1914c48593b3d35d81d22091de37c39f0d75f9fb5129c5a6ea95422dfc46df4a579b57
-
Filesize
427KB
MD5067ba288422ed06e7bbfe92d7bceb129
SHA1711669a6c3bb5e2daac6ea996aaba6ea26d91210
SHA2569e96468ff41f5fcb81f7a5f39d86ab8162d35262f480a2c248cb2e31e87dfeef
SHA512d3533d842d9dbf16ca8c1d67f8711c7edf4e24411bb61cfb5db269208f5caa78a9cf0b6a3da0607163be1503fa7ddc73a48295ad75064582d515a74f9018b5fb
-
Filesize
384KB
MD550d13f17fc273afca86038fb1bbb0279
SHA1a94c615c51f9408d3b98f2c09960242521ec43ec
SHA256d89e164384dcd3a4dc82c946d785adec22c335e8f1b3cd16472eff3ddd6ce1b4
SHA5125cd2f6bf721b51a6e2c6e023f11406d386d0bf59360da186e4936ecc41e3a84f4a364a0a4342b1c1db6c49ec1bbdf71f319a59b0de6a869dda4f7794db2dee7f
-
Filesize
382KB
MD598411063c3a7ae6f55df42780561d090
SHA17521f15f607dbd4b24e7fb90bee6a5244ee2709b
SHA256481e31a15451c763f7f3b377536ab8d2ffcad10d38efc09e5193b31b0ba6a040
SHA512989ccef33928fd94bc6bee18d3c2ceb64f4ee15fb52b6c323100114b74fc73a900c987f1bbab816085810a20ebea421af078b8a586a6365eceec3e07cdec5d28
-
Filesize
320KB
MD5f877a28d7635d1f2f5f636cd0c662ae8
SHA1d33ce69c7ebdd888549fe40f824cb0ec0db81d7b
SHA2563c69f76bca6060a06e6d713c3ef5f129b692762856720404788e9d548d0ef8f6
SHA5126c035ba1b9fbe977282648833c18fcdfb2cda8fc4c035f9234e6b30242ebd4ee6e9203b196753c96f596a877e2c74106c50f45e2343c0ad54126408d0a051a49