Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 00:30 UTC
Static task
static1
Behavioral task
behavioral1
Sample
21c3c367eeeb6174276891ad87e9879a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
21c3c367eeeb6174276891ad87e9879a.exe
Resource
win10v2004-20231215-en
General
-
Target
21c3c367eeeb6174276891ad87e9879a.exe
-
Size
31KB
-
MD5
21c3c367eeeb6174276891ad87e9879a
-
SHA1
a8363b5ca07877cf06ca16712ba4b56963589736
-
SHA256
b01280a4c6fdab5e4bc54cf5865b3bf0740067a70c2eacf2fe795f0c18db927a
-
SHA512
4fb1d48227b3dab7d8694965bd332ed16d0b56929caa17a1ebcb240344eb20518d903d81ef21d4096ec5577124ff07a39e77565a09a0b7dcdf4c320684510d22
-
SSDEEP
768:VbMk8T8t4U0XYbWkUaWfeyZ0HDkjiPcnbcuyD7UjNWGg:Vw+P0obWkUwSjPnouy8JS
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 21c3c367eeeb6174276891ad87e9879a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 21c3c367eeeb6174276891ad87e9879a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 21c3c367eeeb6174276891ad87e9879a.exe -
Loads dropped DLL 1 IoCs
pid Process 1888 21c3c367eeeb6174276891ad87e9879a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360se = "C:\\Users\\Admin\\AppData\\Local\\Temp\\21c3c367eeeb6174276891ad87e9879a.exe" 21c3c367eeeb6174276891ad87e9879a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 21c3c367eeeb6174276891ad87e9879a.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\t: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\z: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\h: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\i: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\j: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\r: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\o: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\q: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\v: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\y: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\e: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\g: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\l: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\n: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\m: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\p: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\w: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\x: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\k: 21c3c367eeeb6174276891ad87e9879a.exe File opened (read-only) \??\u: 21c3c367eeeb6174276891ad87e9879a.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\259430910.DLL 21c3c367eeeb6174276891ad87e9879a.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\rgdltecq\nhoifz.pif 21c3c367eeeb6174276891ad87e9879a.exe File created C:\Program Files (x86)\Common Files\rgdltecq\nhoifz.pif 21c3c367eeeb6174276891ad87e9879a.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe 1888 21c3c367eeeb6174276891ad87e9879a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1888 21c3c367eeeb6174276891ad87e9879a.exe Token: SeDebugPrivilege 1888 21c3c367eeeb6174276891ad87e9879a.exe -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 21c3c367eeeb6174276891ad87e9879a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 21c3c367eeeb6174276891ad87e9879a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 21c3c367eeeb6174276891ad87e9879a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21c3c367eeeb6174276891ad87e9879a.exe"C:\Users\Admin\AppData\Local\Temp\21c3c367eeeb6174276891ad87e9879a.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1888
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.1MB
MD5d5ae1480054364becaf44f15f84db2f7
SHA173a46e6049589e6358c46dde4815f91151039122
SHA25692b6933287c3e43f6393573d5a40f4609db05afc720c0b6fc22d05b17f013d3a
SHA51211c6f9d2db8d533136d98dd060b036525b4a88faa9061fc20a03794d9119bb12a6d4a6fdfa138c94885ddf564e5af34bbac59b0b4bd459c3a6ecf9e277c7d269