Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 03:49
Static task
static1
Behavioral task
behavioral1
Sample
26f18e04a196e2e85d8297086b338e30.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
26f18e04a196e2e85d8297086b338e30.exe
Resource
win10v2004-20231222-en
General
-
Target
26f18e04a196e2e85d8297086b338e30.exe
-
Size
288KB
-
MD5
26f18e04a196e2e85d8297086b338e30
-
SHA1
245e479278a7ca0356c9888e246f9e506739768b
-
SHA256
b136434e8995180965964fa8b46b50173b6a6f500c80fc5a2b548a008d749493
-
SHA512
ddde4d05a0b45249784af0aa68892a453b3f7cea46097ced149967702facc34047e6975f661a734a115b946f66b0705d929ecab64b3b4f690ba07660eaa6815c
-
SSDEEP
6144:xX8JXgMQUXu+9qjCTWeqKas8hiAHlkyvbhA5qLXtE8VZP6lnrlZdgpP:uGM7u+xWEAyeAGy8V168P
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 26f18e04a196e2e85d8297086b338e30.exe -
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 756 2C4E.tmp -
Loads dropped DLL 2 IoCs
pid Process 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2948-1-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2948-3-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2948-42-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/432-49-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2948-48-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2948-102-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1572-212-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2948-225-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2948-329-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2948-334-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\60E.exe = "C:\\Program Files (x86)\\LP\\7174\\60E.exe" 26f18e04a196e2e85d8297086b338e30.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\7174\60E.exe 26f18e04a196e2e85d8297086b338e30.exe File opened for modification C:\Program Files (x86)\LP\7174\2C4E.tmp 26f18e04a196e2e85d8297086b338e30.exe File opened for modification C:\Program Files (x86)\LP\7174\60E.exe 26f18e04a196e2e85d8297086b338e30.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe 2948 26f18e04a196e2e85d8297086b338e30.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2792 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2580 msiexec.exe Token: SeTakeOwnershipPrivilege 2580 msiexec.exe Token: SeSecurityPrivilege 2580 msiexec.exe Token: SeShutdownPrivilege 2792 explorer.exe Token: SeShutdownPrivilege 2792 explorer.exe Token: SeShutdownPrivilege 2792 explorer.exe Token: SeShutdownPrivilege 2792 explorer.exe Token: SeShutdownPrivilege 2792 explorer.exe Token: SeShutdownPrivilege 2792 explorer.exe Token: SeShutdownPrivilege 2792 explorer.exe Token: SeShutdownPrivilege 2792 explorer.exe Token: SeShutdownPrivilege 2792 explorer.exe Token: SeShutdownPrivilege 2792 explorer.exe Token: SeShutdownPrivilege 2792 explorer.exe Token: SeShutdownPrivilege 2792 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe 2792 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2948 wrote to memory of 432 2948 26f18e04a196e2e85d8297086b338e30.exe 31 PID 2948 wrote to memory of 432 2948 26f18e04a196e2e85d8297086b338e30.exe 31 PID 2948 wrote to memory of 432 2948 26f18e04a196e2e85d8297086b338e30.exe 31 PID 2948 wrote to memory of 432 2948 26f18e04a196e2e85d8297086b338e30.exe 31 PID 2948 wrote to memory of 1572 2948 26f18e04a196e2e85d8297086b338e30.exe 35 PID 2948 wrote to memory of 1572 2948 26f18e04a196e2e85d8297086b338e30.exe 35 PID 2948 wrote to memory of 1572 2948 26f18e04a196e2e85d8297086b338e30.exe 35 PID 2948 wrote to memory of 1572 2948 26f18e04a196e2e85d8297086b338e30.exe 35 PID 2948 wrote to memory of 756 2948 26f18e04a196e2e85d8297086b338e30.exe 36 PID 2948 wrote to memory of 756 2948 26f18e04a196e2e85d8297086b338e30.exe 36 PID 2948 wrote to memory of 756 2948 26f18e04a196e2e85d8297086b338e30.exe 36 PID 2948 wrote to memory of 756 2948 26f18e04a196e2e85d8297086b338e30.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 26f18e04a196e2e85d8297086b338e30.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 26f18e04a196e2e85d8297086b338e30.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exe"C:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exeC:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exe startC:\Users\Admin\AppData\Roaming\41708\E5071.exe%C:\Users\Admin\AppData\Roaming\417082⤵PID:432
-
-
C:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exeC:\Users\Admin\AppData\Local\Temp\26f18e04a196e2e85d8297086b338e30.exe startC:\Program Files (x86)\08E64\lvvm.exe%C:\Program Files (x86)\08E642⤵PID:1572
-
-
C:\Program Files (x86)\LP\7174\2C4E.tmp"C:\Program Files (x86)\LP\7174\2C4E.tmp"2⤵
- Executes dropped EXE
PID:756
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2792
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5317d18bbaa3e87436cfb31d41048fc32
SHA1fe5b525d724089e00af06e26145aaa3eec45b8a8
SHA2568a0296fe3e827f00688e463022975f7cb7dbaa9b1978ee68f6282a2de279c1c3
SHA512e007f02cb8ff8f3a4b42452cd8fd53007e3f42cf97f5835b2497b822b5557394d140a7e655263f0a3c2a69665b6ef0cd19990d88d123c479f23b733aff98b7af
-
Filesize
1KB
MD5f14db577d78839155185a2b5ffeeab0c
SHA1a54df2919960c5f245692a1613c2e264c33d55fb
SHA2567e50d2cd98be62112e5b423fac43766f73959cabb3576fa257348d79008faa75
SHA512c5c8eab989f31fddab4896aedfe86dde0942e3c2fdc90f167945eb7d24ccdc43809580a627772eb1ec430ebca1af2555fc0c5a4f0bfcdb78de4a88a72a3488f4
-
Filesize
600B
MD52eba2819ae33da19179fbd4e8c163c71
SHA14e884bf0876c3f33e6e35bb825c535fd0ac5d731
SHA256cca2634cb494e264dcf1ecea90fec2ddf50c3c2d396fe1f195222301133daf43
SHA512dec49f9d41c69d6471b3b7b0944ce8ec5ca93cbcf2cbab69c069268df4857c2bc2be3d768e3d90aa63ddaadc64d5c13fff1f310758236b897c1683dfa056feb1
-
Filesize
300B
MD57a5bbeb0323e02b068ffd8ae35c6c6cf
SHA119bc88ea2d9334587a6acd2a8b3d128e56a843c0
SHA256788952f323183e72e7e642bab203668081bb5e45c16b8e967adc83c424ff312e
SHA512ef422ebe9ba9ac594e42dabecb5473aead8153d535658203372ca9f0044cf6ccd3a8717f71f3f500128261a4f0e1934ffa4862c019d70abe38fe9fc44597a48e
-
Filesize
102KB
MD53dd4e5cd0cb32f735268a740c647065a
SHA15e88431137152bf76f61d06b1c2086ecd5082a76
SHA256a1cb303db454c3faa73fa6705c9a7ce126110615879047fbd579d2c813fba535
SHA51237463297b6e127dc2689f2b998b14042189baa26727ab1770fc482035b09df2cd3f349fb11038fabde84d0b4a5a07bfc6b5c619001ddc70c9c37c0aa87b3fe04