Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 19:22
Static task
static1
Behavioral task
behavioral1
Sample
01902ed02184df361f01e1d57012489b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
01902ed02184df361f01e1d57012489b.exe
Resource
win10v2004-20231222-en
General
-
Target
01902ed02184df361f01e1d57012489b.exe
-
Size
242KB
-
MD5
01902ed02184df361f01e1d57012489b
-
SHA1
03de274d683d18c90349fc5f4a3fb9072af62c0b
-
SHA256
ec5b0c2e8f8d189266ac2a4aa3eb156491e74364d0818fefb6cb374f3f6d19aa
-
SHA512
90a7699b5fe04e05c5b3139253504dbb3f186bce22d6ea6f8b1fe5f8e0c82e46529fb00290524b9538fb9a39924e83ec2d142e43b82fda2f42eba52615685ac5
-
SSDEEP
6144:J1yUN7pmPUk9VMwXHOCgs+ej/4+zBNnmjf5WWjU:JQ8pQ96w+ns+GwoNnm
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 01902ed02184df361f01e1d57012489b.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" isass.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 01902ed02184df361f01e1d57012489b.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" isass.exe -
Executes dropped EXE 1 IoCs
pid Process 2752 isass.exe -
Loads dropped DLL 2 IoCs
pid Process 1680 01902ed02184df361f01e1d57012489b.exe 1680 01902ed02184df361f01e1d57012489b.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 01902ed02184df361f01e1d57012489b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" isass.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\imscmig = "C:\\Windows\\imscmig.exe" 01902ed02184df361f01e1d57012489b.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\isass.exe 01902ed02184df361f01e1d57012489b.exe File opened for modification C:\Windows\SysWOW64\isass isass.exe File created C:\Windows\SysWOW64\isass.exe isass.exe File created C:\Windows\SysWOW64\isass.exe 01902ed02184df361f01e1d57012489b.exe -
Modifies registry class 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 01902ed02184df361f01e1d57012489b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" isass.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2752 1680 01902ed02184df361f01e1d57012489b.exe 14 PID 1680 wrote to memory of 2752 1680 01902ed02184df361f01e1d57012489b.exe 14 PID 1680 wrote to memory of 2752 1680 01902ed02184df361f01e1d57012489b.exe 14 PID 1680 wrote to memory of 2752 1680 01902ed02184df361f01e1d57012489b.exe 14
Processes
-
C:\Windows\SysWOW64\isass.exeC:\Windows\system32\isass.exe C:\Users\Admin\AppData\Local\Temp\01902ed02184df361f01e1d57012489b.exe1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
PID:2752
-
C:\Users\Admin\AppData\Local\Temp\01902ed02184df361f01e1d57012489b.exe"C:\Users\Admin\AppData\Local\Temp\01902ed02184df361f01e1d57012489b.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD555898b5a0ff7f8519160fcd04bcf54cc
SHA1d3fcd65d59eeecbe97043df27736b7e7583778db
SHA2568c7cf9466e35a0c36b74a00bbd70c7c45600dae4fadede80a401077c89408daf
SHA5127e815409988b1158c36a706c398076f70ddf764e632527ee92e314b8c1d67f0cc911647575094ea2a2ff966fd430959bff2486296b0c62be2a3a621cc17c1f4b
-
Filesize
242KB
MD501902ed02184df361f01e1d57012489b
SHA103de274d683d18c90349fc5f4a3fb9072af62c0b
SHA256ec5b0c2e8f8d189266ac2a4aa3eb156491e74364d0818fefb6cb374f3f6d19aa
SHA51290a7699b5fe04e05c5b3139253504dbb3f186bce22d6ea6f8b1fe5f8e0c82e46529fb00290524b9538fb9a39924e83ec2d142e43b82fda2f42eba52615685ac5