Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
28s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 20:10
Behavioral task
behavioral1
Sample
3af1558bce50b6a2393dbf3aa23b6685.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3af1558bce50b6a2393dbf3aa23b6685.exe
Resource
win10v2004-20231222-en
General
-
Target
3af1558bce50b6a2393dbf3aa23b6685.exe
-
Size
83KB
-
MD5
3af1558bce50b6a2393dbf3aa23b6685
-
SHA1
411ff922a2cb6162ae336c8104b72e500b5b709d
-
SHA256
ab70718453b398f9ec798d5150c51f0ccb91de22345388e00cd94a0ec42d9d95
-
SHA512
53b2fd03e7a8f2fc3f7f9a30706f10ab7f7aacd446448290be25670353975a86284e52e410c093c3b88cc1557883ec3d50f222183a597af25f86fb062785427d
-
SSDEEP
1536:0OgrF9Gj6Fz4EVCQbLs8yRGBl14FaYMswlL5n+XVFlxkBp6WJ1GsNJOfbFqD:0Jyjkwu6FaYMswbnmVTxkBp6WJUs7OFq
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 3af1558bce50b6a2393dbf3aa23b6685.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WinDir = "{bfbc1a78-cddd-1672-876e-324d6c4686e9}" 3af1558bce50b6a2393dbf3aa23b6685.exe -
Deletes itself 1 IoCs
pid Process 2600 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2716 3af1558bce50b6a2393dbf3aa23b6685.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\NTboot.exe 3af1558bce50b6a2393dbf3aa23b6685.exe File opened for modification C:\Windows\SysWOW64\NTboot.exe 3af1558bce50b6a2393dbf3aa23b6685.exe File created C:\Windows\SysWOW64\NTboot32.dll 3af1558bce50b6a2393dbf3aa23b6685.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9}\InProcServer32\ = "NTboot32.dll" 3af1558bce50b6a2393dbf3aa23b6685.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9}\InProcServer32\ThreadingModel = "Apartment" 3af1558bce50b6a2393dbf3aa23b6685.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9}\InProcServer32 3af1558bce50b6a2393dbf3aa23b6685.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 3af1558bce50b6a2393dbf3aa23b6685.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 3af1558bce50b6a2393dbf3aa23b6685.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9} 3af1558bce50b6a2393dbf3aa23b6685.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 2716 3af1558bce50b6a2393dbf3aa23b6685.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2716 3af1558bce50b6a2393dbf3aa23b6685.exe Token: SeIncBasePriorityPrivilege 2716 3af1558bce50b6a2393dbf3aa23b6685.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2876 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 29 PID 2716 wrote to memory of 2876 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 29 PID 2716 wrote to memory of 2876 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 29 PID 2716 wrote to memory of 2876 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 29 PID 2716 wrote to memory of 2876 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 29 PID 2716 wrote to memory of 2876 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 29 PID 2716 wrote to memory of 2600 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 30 PID 2716 wrote to memory of 2600 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 30 PID 2716 wrote to memory of 2600 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 30 PID 2716 wrote to memory of 2600 2716 3af1558bce50b6a2393dbf3aa23b6685.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3af1558bce50b6a2393dbf3aa23b6685.exe"C:\Users\Admin\AppData\Local\Temp\3af1558bce50b6a2393dbf3aa23b6685.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3AF155~1.EXE > nul2⤵
- Deletes itself
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5e4fe4485807c5c0d5324c33560e5b93d
SHA1d2720527e9b65c221a0fe57ea30a5e4cd76aa1f7
SHA256f189615c83e1a53a833105242ed30e257b8d7cb4fdcd3f9d31bbc3cc09b047bd
SHA5120e52e63d6195bbe7ef384bd43906b19da99e5d197b1b7d9c35190465bb9f957758f8c6e6ded7a9669ee9636cc9b6d38bc4217fa4df4c412c15ddd7499aa0e0d7