Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 00:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
21c7481d44e9d15714818dc8548dbb9f.exe
Resource
win7-20231215-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
21c7481d44e9d15714818dc8548dbb9f.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
21c7481d44e9d15714818dc8548dbb9f.exe
-
Size
125KB
-
MD5
21c7481d44e9d15714818dc8548dbb9f
-
SHA1
cf49d2b9aefbc9f7e60ffc046d93914990b21786
-
SHA256
0cf570871de8511e21928c032baafb1309be3faba8124c0a99f96261dc749fe3
-
SHA512
75c5aee133c87875b9d22b06fb49b2746d401508540107429af2755b9f5e9edba31c88bf4a2b9265b33cffc72d393dc972dbaf6ca5b4d371d3969b96fdb96a63
-
SSDEEP
3072:MIXs68BY9oTwGNeFxEMDJCZoYzuNR9FkmuGYy:78XTUGNeFTCZoYyNRgmCy
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe C:\\Windows\\system32\\svchost_.exe" 21c7481d44e9d15714818dc8548dbb9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe C:\\Windows\\system32\\winlogon_.exe" 21c7481d44e9d15714818dc8548dbb9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\winlogon_.exe, " 21c7481d44e9d15714818dc8548dbb9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\services_.exe, " 21c7481d44e9d15714818dc8548dbb9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\awang.exe" 21c7481d44e9d15714818dc8548dbb9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\System32\\tomy.exe" 21c7481d44e9d15714818dc8548dbb9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\ashari.exe" 21c7481d44e9d15714818dc8548dbb9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\smss.exe" 21c7481d44e9d15714818dc8548dbb9f.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 21c7481d44e9d15714818dc8548dbb9f.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 21c7481d44e9d15714818dc8548dbb9f.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 21c7481d44e9d15714818dc8548dbb9f.exe -
Disables Task Manager via registry modification
-
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin Playlist.scr 21c7481d44e9d15714818dc8548dbb9f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\RPCall = "C:\\Windows\\system32\\svchost_.exe /register" 21c7481d44e9d15714818dc8548dbb9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SRVState = "C:\\Windows\\system32\\svchost_.exe /register" 21c7481d44e9d15714818dc8548dbb9f.exe -
Modifies WinLogon 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Windows\\system32\\svchost_.exe" 21c7481d44e9d15714818dc8548dbb9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ReportBootOk = "0" 21c7481d44e9d15714818dc8548dbb9f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" 21c7481d44e9d15714818dc8548dbb9f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" 21c7481d44e9d15714818dc8548dbb9f.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\svchost_.exe 21c7481d44e9d15714818dc8548dbb9f.exe File opened for modification C:\Windows\SysWOW64\winlogon_.exe 21c7481d44e9d15714818dc8548dbb9f.exe File opened for modification C:\Windows\SysWOW64\Admin 21c7481d44e9d15714818dc8548dbb9f.exe File opened for modification C:\Windows\SysWOW64\awang.exe\Kenangan Terindah.exe 21c7481d44e9d15714818dc8548dbb9f.exe File opened for modification C:\Windows\SysWOW64\tomy.exe\Kenangan Terindah.exe 21c7481d44e9d15714818dc8548dbb9f.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Winamp\winamp_.exe 21c7481d44e9d15714818dc8548dbb9f.exe File opened for modification C:\Program Files (x86)\Common Files\Asikk.bat\Kenangan Terindah.exe 21c7481d44e9d15714818dc8548dbb9f.exe File opened for modification C:\Program Files (x86)\Common Files\HIMATI.txt\Kenangan Terindah.exe 21c7481d44e9d15714818dc8548dbb9f.exe File opened for modification C:\Program Files (x86)\Common Files\eksplorasi.pif\Kenangan Terindah.exe 21c7481d44e9d15714818dc8548dbb9f.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Waduh...com\Kenangan Terindah.exe 21c7481d44e9d15714818dc8548dbb9f.exe File opened for modification C:\Windows\Ngolok.txt\Kenangan Terindah.exe 21c7481d44e9d15714818dc8548dbb9f.exe File opened for modification C:\Windows\Parkir.exe\Kenangan Terindah.exe 21c7481d44e9d15714818dc8548dbb9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe 1072 21c7481d44e9d15714818dc8548dbb9f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1072 21c7481d44e9d15714818dc8548dbb9f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1072 21c7481d44e9d15714818dc8548dbb9f.exe -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 21c7481d44e9d15714818dc8548dbb9f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" 21c7481d44e9d15714818dc8548dbb9f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" 21c7481d44e9d15714818dc8548dbb9f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21c7481d44e9d15714818dc8548dbb9f.exe"C:\Users\Admin\AppData\Local\Temp\21c7481d44e9d15714818dc8548dbb9f.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Drops startup file
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1072
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2