Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
230s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 01:56
Behavioral task
behavioral1
Sample
238df395c33b4b139cdfcd48a871b759.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
238df395c33b4b139cdfcd48a871b759.exe
Resource
win10v2004-20231222-en
General
-
Target
238df395c33b4b139cdfcd48a871b759.exe
-
Size
911KB
-
MD5
238df395c33b4b139cdfcd48a871b759
-
SHA1
b83cb7d627cdcf46a6ed89f68644ef5f2d9ed20f
-
SHA256
97e81fe572b0b43a79a678e04d1ec5f1c11243087e73708d0a1486eb3cc657ff
-
SHA512
be3654267d03d6f822497b52e34f3e77bd508d797d7184541528ae893f6784ffa754f040b1cfb46db79a1a9c43e097ca2228d6c180d189886aecc9aede65a8b4
-
SSDEEP
12288:d8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1r/f:uUKoN0bUxgGa/pfBHDb+y1L
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 238df395c33b4b139cdfcd48a871b759.exe -
Executes dropped EXE 1 IoCs
pid Process 660 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 2544 238df395c33b4b139cdfcd48a871b759.exe 2544 238df395c33b4b139cdfcd48a871b759.exe -
resource yara_rule behavioral1/memory/2544-0-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral1/memory/2544-1-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral1/files/0x001000000000b1f5-9.dat upx behavioral1/memory/660-13-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral1/memory/2544-14-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral1/memory/660-18-0x0000000000400000-0x00000000004E5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 238df395c33b4b139cdfcd48a871b759.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeSecurityPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeTakeOwnershipPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeLoadDriverPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeSystemProfilePrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeSystemtimePrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeProfSingleProcessPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeIncBasePriorityPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeCreatePagefilePrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeBackupPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeRestorePrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeShutdownPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeDebugPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeSystemEnvironmentPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeChangeNotifyPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeRemoteShutdownPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeUndockPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeManageVolumePrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeImpersonatePrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeCreateGlobalPrivilege 2544 238df395c33b4b139cdfcd48a871b759.exe Token: 33 2544 238df395c33b4b139cdfcd48a871b759.exe Token: 34 2544 238df395c33b4b139cdfcd48a871b759.exe Token: 35 2544 238df395c33b4b139cdfcd48a871b759.exe Token: SeIncreaseQuotaPrivilege 660 msdcsc.exe Token: SeSecurityPrivilege 660 msdcsc.exe Token: SeTakeOwnershipPrivilege 660 msdcsc.exe Token: SeLoadDriverPrivilege 660 msdcsc.exe Token: SeSystemProfilePrivilege 660 msdcsc.exe Token: SeSystemtimePrivilege 660 msdcsc.exe Token: SeProfSingleProcessPrivilege 660 msdcsc.exe Token: SeIncBasePriorityPrivilege 660 msdcsc.exe Token: SeCreatePagefilePrivilege 660 msdcsc.exe Token: SeBackupPrivilege 660 msdcsc.exe Token: SeRestorePrivilege 660 msdcsc.exe Token: SeShutdownPrivilege 660 msdcsc.exe Token: SeDebugPrivilege 660 msdcsc.exe Token: SeSystemEnvironmentPrivilege 660 msdcsc.exe Token: SeChangeNotifyPrivilege 660 msdcsc.exe Token: SeRemoteShutdownPrivilege 660 msdcsc.exe Token: SeUndockPrivilege 660 msdcsc.exe Token: SeManageVolumePrivilege 660 msdcsc.exe Token: SeImpersonatePrivilege 660 msdcsc.exe Token: SeCreateGlobalPrivilege 660 msdcsc.exe Token: 33 660 msdcsc.exe Token: 34 660 msdcsc.exe Token: 35 660 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 660 msdcsc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2544 wrote to memory of 660 2544 238df395c33b4b139cdfcd48a871b759.exe 27 PID 2544 wrote to memory of 660 2544 238df395c33b4b139cdfcd48a871b759.exe 27 PID 2544 wrote to memory of 660 2544 238df395c33b4b139cdfcd48a871b759.exe 27 PID 2544 wrote to memory of 660 2544 238df395c33b4b139cdfcd48a871b759.exe 27 PID 660 wrote to memory of 1136 660 msdcsc.exe 28 PID 660 wrote to memory of 1136 660 msdcsc.exe 28 PID 660 wrote to memory of 1136 660 msdcsc.exe 28 PID 660 wrote to memory of 1136 660 msdcsc.exe 28 PID 660 wrote to memory of 2172 660 msdcsc.exe 29 PID 660 wrote to memory of 2172 660 msdcsc.exe 29 PID 660 wrote to memory of 2172 660 msdcsc.exe 29 PID 660 wrote to memory of 2172 660 msdcsc.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\238df395c33b4b139cdfcd48a871b759.exe"C:\Users\Admin\AppData\Local\Temp\238df395c33b4b139cdfcd48a871b759.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:1136
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:2172
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
911KB
MD5238df395c33b4b139cdfcd48a871b759
SHA1b83cb7d627cdcf46a6ed89f68644ef5f2d9ed20f
SHA25697e81fe572b0b43a79a678e04d1ec5f1c11243087e73708d0a1486eb3cc657ff
SHA512be3654267d03d6f822497b52e34f3e77bd508d797d7184541528ae893f6784ffa754f040b1cfb46db79a1a9c43e097ca2228d6c180d189886aecc9aede65a8b4