Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    86s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 00:30

General

  • Target

    21c7481d44e9d15714818dc8548dbb9f.exe

  • Size

    125KB

  • MD5

    21c7481d44e9d15714818dc8548dbb9f

  • SHA1

    cf49d2b9aefbc9f7e60ffc046d93914990b21786

  • SHA256

    0cf570871de8511e21928c032baafb1309be3faba8124c0a99f96261dc749fe3

  • SHA512

    75c5aee133c87875b9d22b06fb49b2746d401508540107429af2755b9f5e9edba31c88bf4a2b9265b33cffc72d393dc972dbaf6ca5b4d371d3969b96fdb96a63

  • SSDEEP

    3072:MIXs68BY9oTwGNeFxEMDJCZoYzuNR9FkmuGYy:78XTUGNeFTCZoYyNRgmCy

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21c7481d44e9d15714818dc8548dbb9f.exe
    "C:\Users\Admin\AppData\Local\Temp\21c7481d44e9d15714818dc8548dbb9f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Drops startup file
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • System policy modification
    PID:1072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1072-3-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB