Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 08:37
Behavioral task
behavioral1
Sample
1392f2f4e3fcc90faf09d722e4059f0a.exe
Resource
win7-20231215-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
1392f2f4e3fcc90faf09d722e4059f0a.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
1392f2f4e3fcc90faf09d722e4059f0a.exe
-
Size
688KB
-
MD5
1392f2f4e3fcc90faf09d722e4059f0a
-
SHA1
3e1a946887bbab52bc3f5064cc6b038aea0b8854
-
SHA256
60bc5f9ac42e9bc88f810dcd2f370cf8f938542c90a42a42eaef4331812a6d54
-
SHA512
1be6db21f06edf882ed16d8e2008753cddf60936c5223ad90549e94199ba6617edd2ac5da2cb5f842d3895b8379cc32787780988e7091886ae21e32b600b7629
-
SSDEEP
12288:IjkArEN249AyE/rbaMct4bO2/VQ2Rw2AuAawbVlKhnSCwmYEQJNohHxNG+:TFE//Tct4bOsdHx0bMSjmYEEEHxE+
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe winfiles.exe" 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 2 IoCs
pid Process 2300 winnt.exe 2700 winnt.exe -
resource yara_rule behavioral1/memory/2096-0-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2096-47-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2096-48-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2096-49-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2096-51-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2096-53-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2096-54-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2096-55-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\SysWOW64\\winfiles.exe" 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\m: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\q: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\n: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\o: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\t: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\u: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\v: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\e: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\g: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\j: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\x: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\y: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\k: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\l: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\p: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\r: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\s: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\a: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\h: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\i: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\w: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\z: 1392f2f4e3fcc90faf09d722e4059f0a.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2096-47-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral1/memory/2096-48-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral1/memory/2096-49-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral1/memory/2096-51-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral1/memory/2096-53-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral1/memory/2096-54-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral1/memory/2096-55-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winfiles.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened for modification C:\Windows\SysWOW64\autorun.ini 1392f2f4e3fcc90faf09d722e4059f0a.exe File created C:\Windows\SysWOW64\winfiles.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2300 set thread context of 2700 2300 winnt.exe 35 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\winfiles.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened for modification C:\Windows\winfiles.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe File created C:\Windows\winnt.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened for modification C:\Windows\winnt.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2700 winnt.exe 2700 winnt.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2300 winnt.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2300 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 28 PID 2096 wrote to memory of 2300 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 28 PID 2096 wrote to memory of 2300 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 28 PID 2096 wrote to memory of 2300 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 28 PID 2096 wrote to memory of 2660 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 29 PID 2096 wrote to memory of 2660 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 29 PID 2096 wrote to memory of 2660 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 29 PID 2096 wrote to memory of 2660 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 29 PID 2660 wrote to memory of 2820 2660 cmd.exe 31 PID 2660 wrote to memory of 2820 2660 cmd.exe 31 PID 2660 wrote to memory of 2820 2660 cmd.exe 31 PID 2660 wrote to memory of 2820 2660 cmd.exe 31 PID 2096 wrote to memory of 2852 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 32 PID 2096 wrote to memory of 2852 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 32 PID 2096 wrote to memory of 2852 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 32 PID 2096 wrote to memory of 2852 2096 1392f2f4e3fcc90faf09d722e4059f0a.exe 32 PID 2852 wrote to memory of 2724 2852 cmd.exe 34 PID 2852 wrote to memory of 2724 2852 cmd.exe 34 PID 2852 wrote to memory of 2724 2852 cmd.exe 34 PID 2852 wrote to memory of 2724 2852 cmd.exe 34 PID 2300 wrote to memory of 2700 2300 winnt.exe 35 PID 2300 wrote to memory of 2700 2300 winnt.exe 35 PID 2300 wrote to memory of 2700 2300 winnt.exe 35 PID 2300 wrote to memory of 2700 2300 winnt.exe 35 PID 2300 wrote to memory of 2700 2300 winnt.exe 35 PID 2300 wrote to memory of 2700 2300 winnt.exe 35 PID 2300 wrote to memory of 2700 2300 winnt.exe 35 PID 2300 wrote to memory of 2700 2300 winnt.exe 35 PID 2700 wrote to memory of 1208 2700 winnt.exe 8 PID 2700 wrote to memory of 1208 2700 winnt.exe 8 PID 2700 wrote to memory of 1208 2700 winnt.exe 8 PID 2700 wrote to memory of 1208 2700 winnt.exe 8
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\1392f2f4e3fcc90faf09d722e4059f0a.exe"C:\Users\Admin\AppData\Local\Temp\1392f2f4e3fcc90faf09d722e4059f0a.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\winnt.exeC:\Windows\winnt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\winnt.exeC:\Windows\winnt.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\SysWOW64\winfiles.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\SysWOW64\winfiles.exe4⤵PID:2724
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
404KB
MD583c255bcba33f1daa5694177b78519d0
SHA17d91f166a17df3bd3d2ce579cc3922676060dca2
SHA25694fb297675263a1e363b9c3038e3b54b8a53a352ec36ba947776b4fd014c172f
SHA512cb93f4ce5b76c7c687dbcf283acd92ea7a90e1ad495ab20651eedfcaa8b52dc67d4b88fb7351dcc963b16021244952706c15daaff08d27a5354c41d410f437c1