Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 18:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3acb995c9f962f1004397bcbd3fa55dc.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3acb995c9f962f1004397bcbd3fa55dc.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
3acb995c9f962f1004397bcbd3fa55dc.exe
-
Size
260KB
-
MD5
3acb995c9f962f1004397bcbd3fa55dc
-
SHA1
8239187c47d046fbd4b76896e78b304624cf2b0c
-
SHA256
30d5e95f20ff0a384bcbe980cff2cac965301555c50bffb18e37f770957f950c
-
SHA512
cb32938148716617e8c2b658200799434766d42c68b3aaa35e209f6a47e67bff8fd96661488091b56bdf281e8439fa79e591176dbecb0e0617e5fc4b8c394b2d
-
SSDEEP
3072:JgfAlNgvh25n/kZoSUjMqXnpWAkpAmTSrMaIOYt/jo7LAtPhjjtZnfHFEoWBfGVK:JdFgTSrMaIl/jcLijfHFEHWzXvjT85R
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yaaob.exe -
Executes dropped EXE 1 IoCs
pid Process 2836 yaaob.exe -
Loads dropped DLL 2 IoCs
pid Process 1264 3acb995c9f962f1004397bcbd3fa55dc.exe 1264 3acb995c9f962f1004397bcbd3fa55dc.exe -
Adds Run key to start application 2 TTPs 49 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /f" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /u" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /p" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /d" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /Q" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /a" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /G" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /v" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /o" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /i" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /w" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /x" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /C" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /e" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /F" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /I" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /Z" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /k" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /V" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /T" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /g" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /Y" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /P" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /c" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /R" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /n" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /l" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /E" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /J" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /m" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /O" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /r" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /D" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /h" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /W" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /z" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /H" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /q" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /N" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /B" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /S" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /s" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /K" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /A" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /L" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /b" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /t" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /y" yaaob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaaob = "C:\\Users\\Admin\\yaaob.exe /M" yaaob.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe 2836 yaaob.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1264 3acb995c9f962f1004397bcbd3fa55dc.exe 2836 yaaob.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1264 wrote to memory of 2836 1264 3acb995c9f962f1004397bcbd3fa55dc.exe 30 PID 1264 wrote to memory of 2836 1264 3acb995c9f962f1004397bcbd3fa55dc.exe 30 PID 1264 wrote to memory of 2836 1264 3acb995c9f962f1004397bcbd3fa55dc.exe 30 PID 1264 wrote to memory of 2836 1264 3acb995c9f962f1004397bcbd3fa55dc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3acb995c9f962f1004397bcbd3fa55dc.exe"C:\Users\Admin\AppData\Local\Temp\3acb995c9f962f1004397bcbd3fa55dc.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\yaaob.exe"C:\Users\Admin\yaaob.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD5dcc938bf6eab01148c1678846a54b05b
SHA1f62db3bb3c4d349264d3f949459e3b2a76e73006
SHA256bc66bd8123fd908847a93f194bdda5f7877c46683bfb662bc2eca7c916b00577
SHA5126c2682148b07fcaf5cc58097cf8df07acf6044f1bc79691a85a12be6fdd32b157e962686abb522faa5b28fbbc05abe7411a3ff6b52743459bd8c5e685188c54e