Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 04:43
Static task
static1
Behavioral task
behavioral1
Sample
0ee02abbf2a7107306915404b4d6aa93.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0ee02abbf2a7107306915404b4d6aa93.exe
Resource
win10v2004-20231215-en
General
-
Target
0ee02abbf2a7107306915404b4d6aa93.exe
-
Size
150KB
-
MD5
0ee02abbf2a7107306915404b4d6aa93
-
SHA1
4d12f351845d8cff3143997ee7467d1bf498f714
-
SHA256
afeecdbb6d7d67484194f15f3b62fdf176c26ac98b3ad074d9e0861a4cbd0b63
-
SHA512
f3bb009b760edd14a27aa00c90c21782ae075b689acca2ae6e580706e6c11592a6846c61856feee5a4c7f2e11f073ef219166a5224007450bd5f794d633ecad0
-
SSDEEP
3072:necu88h/2yroutqzAoU+WuKurV9GqZghAs10jLAH:nech8oyroSqvU+WlY8p0jLAH
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2076 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WindowsDriver\Parameters\ServiceDll = "C:\\Windows\\system32\\WindowsDriver.dll" 0ee02abbf2a7107306915404b4d6aa93.exe -
Deletes itself 1 IoCs
pid Process 2840 cmd.exe -
Loads dropped DLL 6 IoCs
pid Process 2392 0ee02abbf2a7107306915404b4d6aa93.exe 2716 svchost.exe 2076 rundll32.exe 2076 rundll32.exe 2076 rundll32.exe 2076 rundll32.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\IEo.txt rundll32.exe File opened for modification C:\Windows\SysWOW64\IEHost2.txt 0ee02abbf2a7107306915404b4d6aa93.exe File opened for modification C:\Windows\SysWOW64\IETimes.txt 0ee02abbf2a7107306915404b4d6aa93.exe File opened for modification C:\Windows\SysWOW64\WindowsDriver.dll 0ee02abbf2a7107306915404b4d6aa93.exe File created C:\Windows\SysWOW64\Uninstall alexa.exe 0ee02abbf2a7107306915404b4d6aa93.exe File opened for modification C:\Windows\SysWOW64\IEHost2.txt rundll32.exe File opened for modification C:\Windows\SysWOW64\IETimes.txt rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2392 0ee02abbf2a7107306915404b4d6aa93.exe Token: SeDebugPrivilege 2716 svchost.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2840 2392 0ee02abbf2a7107306915404b4d6aa93.exe 29 PID 2392 wrote to memory of 2840 2392 0ee02abbf2a7107306915404b4d6aa93.exe 29 PID 2392 wrote to memory of 2840 2392 0ee02abbf2a7107306915404b4d6aa93.exe 29 PID 2392 wrote to memory of 2840 2392 0ee02abbf2a7107306915404b4d6aa93.exe 29 PID 2716 wrote to memory of 2076 2716 svchost.exe 30 PID 2716 wrote to memory of 2076 2716 svchost.exe 30 PID 2716 wrote to memory of 2076 2716 svchost.exe 30 PID 2716 wrote to memory of 2076 2716 svchost.exe 30 PID 2716 wrote to memory of 2076 2716 svchost.exe 30 PID 2716 wrote to memory of 2076 2716 svchost.exe 30 PID 2716 wrote to memory of 2076 2716 svchost.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ee02abbf2a7107306915404b4d6aa93.exe"C:\Users\Admin\AppData\Local\Temp\0ee02abbf2a7107306915404b4d6aa93.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0EE02A~1.EXE > nul2⤵
- Deletes itself
PID:2840
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k WindowsDriver1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\windowsdriver.dll, ServiceMain2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
PID:2076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17.8MB
MD552f0624098674298eeedb80bdb38aebc
SHA17fa4d8f06bbe176489aa5e79e036ca63d65cc1c6
SHA2567f0d635d82194de2c57bca4457eb48a0c37a81764cb724db38001c9ecfdd06b6
SHA512bf4ad8582fe068385f750e326f755d4e7d780e3de7578fba15843a186b3846fda3f0c6b4258fc1f6ff615b2ceae32e1604807daabf0808882a8c5877714180f4
-
Filesize
5KB
MD59bf96f2e3dccb1d57295068cedaae0a5
SHA144d5a873f2acf0988877f88ae61e93070ba280b9
SHA2560ab113aa05ed6326b3e38fec1dc7142ce7764eacd03fa8af4f1f6351d43966e2
SHA5120077f7ff1fc171d63d6df9c96d7d5836b5762000aeab6ead3d182c2c5097235c57219cef666c0254d63a7542ea67f7d98bfe0d22992f6e2607fd154789e31ce2
-
Filesize
44.2MB
MD5ded189b87c53b9d1c81a11c41b81cf96
SHA1279037f8aebda9fdef1046a0c67e63b53545c4e1
SHA2566bf934ec566a9f48ef9aa1b6a08c4462dda47bf6c07956be798feed77c437888
SHA512be4df7436b2817a0d244def179d2a56abc0f45765098aa0c4adb75864faa55c03a898a70488efbd18ae97c72cc9ef1cd3e1d05fb3c08811dba81d606bf30b9e2
-
Filesize
3.3MB
MD5008dfd53236280ca9cbe8c14540809f4
SHA190f4a208c280c1c291f63367dc813f196c653629
SHA256c210382ee9b99d4e9975f0e91ca8d14c198d77c1eb5df4c049f87a49e8646bcd
SHA512497fd8eb689da9fb47ac6e0c9b7c8eb3612d2c71d0e11831907e2e933d9750fe8933e91b51440be319238a09eb649cca08b617b0668cdecdca0a6baee2cb97bb
-
Filesize
2.6MB
MD5b04fd48c8347b6ae5169e77b740fd7ea
SHA14f50e2436869b42b31c464cbed9b074d25eef233
SHA256a1c2bfc0de63aa73b1dc20a98b20751afdd457cac63defc18b8b3eb48312dcd2
SHA5127ffc32d437181371c6655041f0812ac34f21b658df40592a8fed861be9aa9e3717a12bc232ce0f0a0be7a63ac8c73b0424817d9c62753c395031ef418317b2e7
-
Filesize
1.3MB
MD513b40b7bbac90764a3c6bbcd89f52c39
SHA180e30e64d95ba680f0572a1e34c3400bf4b09bcd
SHA2565ce3457981abbf1aafb1f5c64cbb67a3ce88e5ec6965bddddeff0ec104344b55
SHA512a54455ac10fb1d29a70ccfddf6ab915e4fd980c0b19804bbde8432f580b2a92d55b84d233a114e099ccde2d289b5b62550bb93b461dfd04c9e6ab702633811a2
-
Filesize
1.5MB
MD56e55413898d53c2ad1bc808686b546df
SHA1d05785ab3fb8c291f6cf6fea2783c9b742e685ba
SHA25678a95bc034f6575136d13e6fd27cbacf4f6403465b450838331a04d3a3e98e9f
SHA512ed98344146cc5c6744a67e542f0487aada855ae2bcc847cf2c87142f935cc0a19192f948f2e7c8dd55dceef86c8ce44e8569e481af59b26413b2d3ca428123ee