Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 00:02
Static task
static1
Behavioral task
behavioral1
Sample
20f23133004922fdeccdf1b9a4f69ed5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
20f23133004922fdeccdf1b9a4f69ed5.exe
Resource
win10v2004-20231215-en
General
-
Target
20f23133004922fdeccdf1b9a4f69ed5.exe
-
Size
1.4MB
-
MD5
20f23133004922fdeccdf1b9a4f69ed5
-
SHA1
fdb6b6859e8b13fcee4053a0f4d28b6aebe72e2a
-
SHA256
5bfc6e6261495a8e4a968fc0170181b723e3647d7e43e6ba74e3572bd7f76f1c
-
SHA512
90ba71d5c5e8455f06a79222468de82712c1e752b3a6925f18aae49d6a71f3d8a1fd3b0ad0c9d564ec8597c634da541e8dd8950e33c63590bec0772e0a5b025c
-
SSDEEP
3072:8MBwCbm8zxdAgDADIgBnsTaNkayQ9BKJR:8MB/m8zDAFIuk
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" reg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Universal System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\20f23133004922fdeccdf1b9a4f69ed5.exe" 20f23133004922fdeccdf1b9a4f69ed5.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\upjus.dll 20f23133004922fdeccdf1b9a4f69ed5.exe -
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar 20f23133004922fdeccdf1b9a4f69ed5.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main 20f23133004922fdeccdf1b9a4f69ed5.exe -
Runs net.exe
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 2312 20f23133004922fdeccdf1b9a4f69ed5.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2712 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 28 PID 2312 wrote to memory of 2712 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 28 PID 2312 wrote to memory of 2712 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 28 PID 2312 wrote to memory of 2712 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 28 PID 2312 wrote to memory of 2700 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 29 PID 2312 wrote to memory of 2700 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 29 PID 2312 wrote to memory of 2700 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 29 PID 2312 wrote to memory of 2700 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 29 PID 2312 wrote to memory of 2280 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 31 PID 2312 wrote to memory of 2280 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 31 PID 2312 wrote to memory of 2280 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 31 PID 2312 wrote to memory of 2280 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 31 PID 2312 wrote to memory of 2780 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 33 PID 2312 wrote to memory of 2780 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 33 PID 2312 wrote to memory of 2780 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 33 PID 2312 wrote to memory of 2780 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 33 PID 2312 wrote to memory of 2868 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 35 PID 2312 wrote to memory of 2868 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 35 PID 2312 wrote to memory of 2868 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 35 PID 2312 wrote to memory of 2868 2312 20f23133004922fdeccdf1b9a4f69ed5.exe 35 PID 2700 wrote to memory of 2796 2700 cmd.exe 40 PID 2700 wrote to memory of 2796 2700 cmd.exe 40 PID 2700 wrote to memory of 2796 2700 cmd.exe 40 PID 2700 wrote to memory of 2796 2700 cmd.exe 40 PID 2712 wrote to memory of 2940 2712 cmd.exe 38 PID 2712 wrote to memory of 2940 2712 cmd.exe 38 PID 2712 wrote to memory of 2940 2712 cmd.exe 38 PID 2712 wrote to memory of 2940 2712 cmd.exe 38 PID 2780 wrote to memory of 2844 2780 cmd.exe 39 PID 2780 wrote to memory of 2844 2780 cmd.exe 39 PID 2780 wrote to memory of 2844 2780 cmd.exe 39 PID 2780 wrote to memory of 2844 2780 cmd.exe 39 PID 2868 wrote to memory of 2824 2868 cmd.exe 41 PID 2868 wrote to memory of 2824 2868 cmd.exe 41 PID 2868 wrote to memory of 2824 2868 cmd.exe 41 PID 2868 wrote to memory of 2824 2868 cmd.exe 41 PID 2940 wrote to memory of 2600 2940 net.exe 43 PID 2940 wrote to memory of 2600 2940 net.exe 43 PID 2940 wrote to memory of 2600 2940 net.exe 43 PID 2940 wrote to memory of 2600 2940 net.exe 43 PID 2796 wrote to memory of 2792 2796 net.exe 42 PID 2796 wrote to memory of 2792 2796 net.exe 42 PID 2796 wrote to memory of 2792 2796 net.exe 42 PID 2796 wrote to memory of 2792 2796 net.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\20f23133004922fdeccdf1b9a4f69ed5.exe"C:\Users\Admin\AppData\Local\Temp\20f23133004922fdeccdf1b9a4f69ed5.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\net.exenet stop "Security Center"3⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵PID:2600
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop SharedAccess2⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵PID:2792
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f2⤵PID:2280
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f3⤵
- Modifies security service
PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f3⤵
- Modifies security service
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1