Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 08:37
Behavioral task
behavioral1
Sample
1392f2f4e3fcc90faf09d722e4059f0a.exe
Resource
win7-20231215-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
1392f2f4e3fcc90faf09d722e4059f0a.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
1392f2f4e3fcc90faf09d722e4059f0a.exe
-
Size
688KB
-
MD5
1392f2f4e3fcc90faf09d722e4059f0a
-
SHA1
3e1a946887bbab52bc3f5064cc6b038aea0b8854
-
SHA256
60bc5f9ac42e9bc88f810dcd2f370cf8f938542c90a42a42eaef4331812a6d54
-
SHA512
1be6db21f06edf882ed16d8e2008753cddf60936c5223ad90549e94199ba6617edd2ac5da2cb5f842d3895b8379cc32787780988e7091886ae21e32b600b7629
-
SSDEEP
12288:IjkArEN249AyE/rbaMct4bO2/VQ2Rw2AuAawbVlKhnSCwmYEQJNohHxNG+:TFE//Tct4bOsdHx0bMSjmYEEEHxE+
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe winfiles.exe" 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 2 IoCs
pid Process 4904 winnt.exe 3232 winnt.exe -
resource yara_rule behavioral2/memory/4180-0-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-13-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-27-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-39-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-40-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-42-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-43-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-44-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-45-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-46-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-47-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-48-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-49-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-50-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/4180-51-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\SysWOW64\\winfiles.exe" 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\i: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\j: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\n: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\r: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\h: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\l: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\m: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\w: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\u: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\v: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\x: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\a: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\e: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\g: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\k: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\s: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\y: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\z: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\b: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\o: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\p: 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened (read-only) \??\q: 1392f2f4e3fcc90faf09d722e4059f0a.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4180-13-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-27-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-39-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-40-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-42-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-43-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-44-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-45-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-46-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-47-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-48-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-49-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-50-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe behavioral2/memory/4180-51-0x0000000000400000-0x00000000004B8000-memory.dmp autoit_exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\winfiles.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened for modification C:\Windows\SysWOW64\winfiles.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened for modification C:\Windows\SysWOW64\autorun.ini 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4904 set thread context of 3232 4904 winnt.exe 99 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\winfiles.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened for modification C:\Windows\winfiles.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe File created C:\Windows\winnt.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe File opened for modification C:\Windows\winnt.exe 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 3232 winnt.exe 3232 winnt.exe 3232 winnt.exe 3232 winnt.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4904 winnt.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4180 wrote to memory of 4904 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 92 PID 4180 wrote to memory of 4904 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 92 PID 4180 wrote to memory of 4904 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 92 PID 4180 wrote to memory of 4716 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 93 PID 4180 wrote to memory of 4716 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 93 PID 4180 wrote to memory of 4716 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 93 PID 4716 wrote to memory of 1976 4716 cmd.exe 95 PID 4716 wrote to memory of 1976 4716 cmd.exe 95 PID 4716 wrote to memory of 1976 4716 cmd.exe 95 PID 4180 wrote to memory of 4548 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 96 PID 4180 wrote to memory of 4548 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 96 PID 4180 wrote to memory of 4548 4180 1392f2f4e3fcc90faf09d722e4059f0a.exe 96 PID 4548 wrote to memory of 4816 4548 cmd.exe 98 PID 4548 wrote to memory of 4816 4548 cmd.exe 98 PID 4548 wrote to memory of 4816 4548 cmd.exe 98 PID 4904 wrote to memory of 3232 4904 winnt.exe 99 PID 4904 wrote to memory of 3232 4904 winnt.exe 99 PID 4904 wrote to memory of 3232 4904 winnt.exe 99 PID 4904 wrote to memory of 3232 4904 winnt.exe 99 PID 4904 wrote to memory of 3232 4904 winnt.exe 99 PID 4904 wrote to memory of 3232 4904 winnt.exe 99 PID 4904 wrote to memory of 3232 4904 winnt.exe 99 PID 3232 wrote to memory of 3352 3232 winnt.exe 55 PID 3232 wrote to memory of 3352 3232 winnt.exe 55 PID 3232 wrote to memory of 3352 3232 winnt.exe 55 PID 3232 wrote to memory of 3352 3232 winnt.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\1392f2f4e3fcc90faf09d722e4059f0a.exe"C:\Users\Admin\AppData\Local\Temp\1392f2f4e3fcc90faf09d722e4059f0a.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\winnt.exeC:\Windows\winnt.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\winnt.exeC:\Windows\winnt.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\SysWOW64\winfiles.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\SysWOW64\winfiles.exe4⤵PID:4816
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
103B
MD5541a65508f25de94e3f243cca6e23283
SHA16fa0923572c95983b7beb5c217916687b91fd949
SHA2567df226218bef9609c49c45ac7243f77fef8b30423c5d35c0def85f022ea8c108
SHA5126963f7d5cbf06e6f7b66f0a9459b2c20aca4ccad284b1cec4d32da842bd37e41894256f58872f218bdfbf9b0b9bbc56438f427a4eca70a5fe6aced942bbe2933
-
Filesize
404KB
MD583c255bcba33f1daa5694177b78519d0
SHA17d91f166a17df3bd3d2ce579cc3922676060dca2
SHA25694fb297675263a1e363b9c3038e3b54b8a53a352ec36ba947776b4fd014c172f
SHA512cb93f4ce5b76c7c687dbcf283acd92ea7a90e1ad495ab20651eedfcaa8b52dc67d4b88fb7351dcc963b16021244952706c15daaff08d27a5354c41d410f437c1