Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 14:10
Static task
static1
Behavioral task
behavioral1
Sample
simplearchive.scr
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
simplearchive.scr
Resource
win10v2004-20231215-en
General
-
Target
simplearchive.scr
-
Size
712KB
-
MD5
5e63fa00340326fecc1b3c7f942ccff1
-
SHA1
eaf739f71b25517bffc37966dd19cb256c7c93fe
-
SHA256
21fe1a80e75c3392f448b3ad41935c5d6b55bc4366532a0a6eee46c1b4684491
-
SHA512
1ace52b425a2a9e0d102ffc6d67469b87d640f758d35b7c999763faba6888dfec0a491786bd9e70837280542bd59cc8ccb3df4e0c64e6fcc8a77d770d489d85e
-
SSDEEP
12288:SXmwRo+mv8QD4+0N469AoUleMoGlHNImbu7IT/4zp1nBgxmF+Jf9v189lS:SX48QE+U7AoxMowHNImbu7AAF1BgxmFO
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2644 service.exe 2556 service.exe 1820 service.exe 1504 service.exe -
Loads dropped DLL 5 IoCs
pid Process 1044 simplearchive.scr 1044 simplearchive.scr 2556 service.exe 2556 service.exe 1820 service.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr = "C:\\Program Files (x86)\\service.exe" service.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2644 set thread context of 2556 2644 service.exe 30 PID 1820 set thread context of 1504 1820 service.exe 32 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml service.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml service.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt service.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg service.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt service.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt service.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml service.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt service.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml service.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt service.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt service.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml service.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml service.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml service.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt service.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi service.exe File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml service.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml service.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml service.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml service.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt service.exe File opened for modification C:\Program Files\ExpandExport.jpeg service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt service.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml service.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml service.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi service.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml service.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml service.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt service.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt service.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml service.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt service.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\gadget.xml service.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml service.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml service.exe File opened for modification C:\Program Files (x86)\-\PDF Archiver\service.exe simplearchive.scr File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml service.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\ehome\ja-JP\epgtos.txt service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp6.jpg service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderSchema.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreLogic.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\Tracking_Logic.sql service.exe File opened for modification C:\Windows\diagnostics\index\WindowsMediaPlayerConfiguration.xml service.exe File opened for modification C:\Windows\ehome\CreateDisc\Styles\NTSC\Symphony\Symphony\Symphony.psd service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp3.jpg service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallRoles.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\de\Tracking_Logic.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\EN\DropSqlPersistenceProviderLogic.sql service.exe File opened for modification C:\Windows\diagnostics\index\AeroDiagnostic.xml service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp2.jpg service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\de\DropSqlPersistenceProviderLogic.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderLogic.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\DropSqlPersistenceProviderLogic.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallWebEventSqlProvider.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallCommon.sql service.exe File opened for modification C:\Windows\diagnostics\index\NetworkDiagnostics_2_FileShare.xml service.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallRoles.sql service.exe File opened for modification C:\Windows\diagnostics\index\NetworkDiagnostics_1_Web.xml service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\AU-wp1.jpg service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml service.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql service.exe File opened for modification C:\Windows\diagnostics\index\WindowsMediaPlayerMediaLibrary.xml service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallMembership.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlState.sql service.exe File opened for modification C:\Windows\ehome\fr-FR\playReady_eula_oem.txt service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp4.jpg service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\it\SqlPersistenceService_Logic.sql service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp3.jpg service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp3.jpg service.exe File opened for modification C:\Windows\diagnostics\index\NetworkDiagnostics_4_NetworkAdapter.xml service.exe File opened for modification C:\Windows\diagnostics\index\PCWDiagnostic.xml service.exe File opened for modification C:\Windows\diagnostics\index\SearchDiagnostic.xml service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallCommon.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallSqlState.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallProfile.SQL service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en\Tracking_Schema.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\it\SqlPersistenceService_Schema.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\SqlPersistenceProviderSchema.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg service.exe File opened for modification C:\Windows\diagnostics\index\MaintenanceDiagnostic.xml service.exe File opened for modification C:\Windows\ehome\en-US\playReady_eula_oem.txt service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp5.jpg service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp3.jpg service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\ja\SqlPersistenceService_Logic.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\ja\SqlPersistenceService_Schema.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\UnInstallProfile.SQL service.exe File opened for modification C:\Windows\diagnostics\index\PerformanceDiagnostic.xml service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallMembership.sql service.exe File opened for modification C:\Windows\ehome\CreateDisc\Styles\PAL\Symphony\Symphony\Symphony.psd service.exe File opened for modification C:\Windows\ehome\MediaRenderer\MediaCenter.DigitalMediaRenderer.ConnectionManager.xml service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp4.jpg service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\es\Tracking_Schema.sql service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallMembership.sql service.exe File opened for modification C:\Windows\diagnostics\index\NetworkDiagnostics_3_HomeGroup.xml service.exe File opened for modification C:\Windows\ehome\it-IT\playready_eula.txt service.exe File opened for modification C:\Windows\ehome\mcetuningoverrides.xml service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp4.jpg service.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp1.jpg service.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\SqlPersistenceProviderSchema.sql service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2556 service.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2644 1044 simplearchive.scr 28 PID 1044 wrote to memory of 2644 1044 simplearchive.scr 28 PID 1044 wrote to memory of 2644 1044 simplearchive.scr 28 PID 1044 wrote to memory of 2644 1044 simplearchive.scr 28 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2644 wrote to memory of 2556 2644 service.exe 30 PID 2556 wrote to memory of 1820 2556 service.exe 31 PID 2556 wrote to memory of 1820 2556 service.exe 31 PID 2556 wrote to memory of 1820 2556 service.exe 31 PID 2556 wrote to memory of 1820 2556 service.exe 31 PID 1820 wrote to memory of 1504 1820 service.exe 32 PID 1820 wrote to memory of 1504 1820 service.exe 32 PID 1820 wrote to memory of 1504 1820 service.exe 32 PID 1820 wrote to memory of 1504 1820 service.exe 32 PID 1820 wrote to memory of 1504 1820 service.exe 32 PID 1820 wrote to memory of 1504 1820 service.exe 32 PID 1820 wrote to memory of 1504 1820 service.exe 32 PID 1820 wrote to memory of 1504 1820 service.exe 32 PID 1820 wrote to memory of 1504 1820 service.exe 32 PID 1820 wrote to memory of 1504 1820 service.exe 32 PID 1820 wrote to memory of 1504 1820 service.exe 32 PID 1820 wrote to memory of 1504 1820 service.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\simplearchive.scr"C:\Users\Admin\AppData\Local\Temp\simplearchive.scr" /S1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Program Files (x86)\-\PDF Archiver\service.exe"C:\Program Files (x86)\-\PDF Archiver\service.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Program Files (x86)\-\PDF Archiver\service.exe"C:\Program Files (x86)\-\PDF Archiver\service.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1504
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD5c99f9e727a31cffd7f0a2ca86c32e9cf
SHA13758a79b77f9c0f797d997d7561e784f853c46bf
SHA2563f1498d0b647303a904c9f929b060911d15442cfde169d87cf967b6d57484d69
SHA512c6fac95122d5d7fa5de271b3916e1534972d735fa308fc93db3429361f2992090b247eaab8f2ebd96b3c203bbfa51f1cb47222cd1396eb2d18ff3d8ba77286c4