Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 18:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00629951d043913541372c919403c1e7.exe
Resource
win7-20231215-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
00629951d043913541372c919403c1e7.exe
Resource
win10v2004-20231215-en
5 signatures
150 seconds
General
-
Target
00629951d043913541372c919403c1e7.exe
-
Size
448KB
-
MD5
00629951d043913541372c919403c1e7
-
SHA1
985eccddbd42f63bd2bca0bee90fc34507a7f61e
-
SHA256
39b7b640eba9c29b8d45fd1c4c2dcbfc30f7247b090207ec26191f789e507efa
-
SHA512
f6a30f5b6f1f6649f73da73dda5152e28993c8a9a3dda6181e6f765b2f8c0c048ce115c093ff409ebf31df5b3bd839e84555d2b8c598fa74850564aeaa01e07a
-
SSDEEP
6144:8h5IVKmFs4Hb4I2HIEi+nPHawdn0/JRSerTWIdeFjkZM6jI7F1eZ9A3R:45IVKCsC4IsKRFqIQFjkZM6jI7TeZ2
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\00629951d043913541372c919403c1e7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\00629951d043913541372c919403c1e7.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2572 reg.exe 2368 reg.exe 2848 reg.exe 2844 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 2888 00629951d043913541372c919403c1e7.exe Token: SeCreateTokenPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeAssignPrimaryTokenPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeLockMemoryPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeIncreaseQuotaPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeMachineAccountPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeTcbPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeSecurityPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeTakeOwnershipPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeLoadDriverPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeSystemProfilePrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeSystemtimePrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeProfSingleProcessPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeIncBasePriorityPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeCreatePagefilePrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeCreatePermanentPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeBackupPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeRestorePrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeShutdownPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeDebugPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeAuditPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeSystemEnvironmentPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeChangeNotifyPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeRemoteShutdownPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeUndockPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeSyncAgentPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeEnableDelegationPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeManageVolumePrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeImpersonatePrivilege 2888 00629951d043913541372c919403c1e7.exe Token: SeCreateGlobalPrivilege 2888 00629951d043913541372c919403c1e7.exe Token: 31 2888 00629951d043913541372c919403c1e7.exe Token: 32 2888 00629951d043913541372c919403c1e7.exe Token: 33 2888 00629951d043913541372c919403c1e7.exe Token: 34 2888 00629951d043913541372c919403c1e7.exe Token: 35 2888 00629951d043913541372c919403c1e7.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2888 00629951d043913541372c919403c1e7.exe 2888 00629951d043913541372c919403c1e7.exe 2888 00629951d043913541372c919403c1e7.exe 2888 00629951d043913541372c919403c1e7.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2888 wrote to memory of 1756 2888 00629951d043913541372c919403c1e7.exe 28 PID 2888 wrote to memory of 1756 2888 00629951d043913541372c919403c1e7.exe 28 PID 2888 wrote to memory of 1756 2888 00629951d043913541372c919403c1e7.exe 28 PID 2888 wrote to memory of 1756 2888 00629951d043913541372c919403c1e7.exe 28 PID 2888 wrote to memory of 2124 2888 00629951d043913541372c919403c1e7.exe 29 PID 2888 wrote to memory of 2124 2888 00629951d043913541372c919403c1e7.exe 29 PID 2888 wrote to memory of 2124 2888 00629951d043913541372c919403c1e7.exe 29 PID 2888 wrote to memory of 2124 2888 00629951d043913541372c919403c1e7.exe 29 PID 2888 wrote to memory of 2692 2888 00629951d043913541372c919403c1e7.exe 31 PID 2888 wrote to memory of 2692 2888 00629951d043913541372c919403c1e7.exe 31 PID 2888 wrote to memory of 2692 2888 00629951d043913541372c919403c1e7.exe 31 PID 2888 wrote to memory of 2692 2888 00629951d043913541372c919403c1e7.exe 31 PID 2888 wrote to memory of 2776 2888 00629951d043913541372c919403c1e7.exe 33 PID 2888 wrote to memory of 2776 2888 00629951d043913541372c919403c1e7.exe 33 PID 2888 wrote to memory of 2776 2888 00629951d043913541372c919403c1e7.exe 33 PID 2888 wrote to memory of 2776 2888 00629951d043913541372c919403c1e7.exe 33 PID 1756 wrote to memory of 2844 1756 cmd.exe 39 PID 1756 wrote to memory of 2844 1756 cmd.exe 39 PID 1756 wrote to memory of 2844 1756 cmd.exe 39 PID 1756 wrote to memory of 2844 1756 cmd.exe 39 PID 2692 wrote to memory of 2848 2692 cmd.exe 38 PID 2692 wrote to memory of 2848 2692 cmd.exe 38 PID 2692 wrote to memory of 2848 2692 cmd.exe 38 PID 2692 wrote to memory of 2848 2692 cmd.exe 38 PID 2124 wrote to memory of 2572 2124 cmd.exe 36 PID 2124 wrote to memory of 2572 2124 cmd.exe 36 PID 2124 wrote to memory of 2572 2124 cmd.exe 36 PID 2124 wrote to memory of 2572 2124 cmd.exe 36 PID 2776 wrote to memory of 2368 2776 cmd.exe 37 PID 2776 wrote to memory of 2368 2776 cmd.exe 37 PID 2776 wrote to memory of 2368 2776 cmd.exe 37 PID 2776 wrote to memory of 2368 2776 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\00629951d043913541372c919403c1e7.exe"C:\Users\Admin\AppData\Local\Temp\00629951d043913541372c919403c1e7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\00629951d043913541372c919403c1e7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\00629951d043913541372c919403c1e7.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\00629951d043913541372c919403c1e7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\00629951d043913541372c919403c1e7.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:2368
-
-