Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/01/2024, 03:35
Behavioral task
behavioral1
Sample
3bc834ab03c5c22969b41d8f0b5a6df3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3bc834ab03c5c22969b41d8f0b5a6df3.exe
Resource
win10v2004-20231215-en
General
-
Target
3bc834ab03c5c22969b41d8f0b5a6df3.exe
-
Size
25KB
-
MD5
3bc834ab03c5c22969b41d8f0b5a6df3
-
SHA1
2bcf95871637ec2c9425a6e796228e2a816b55b5
-
SHA256
2a4d4bd6ece66fb02ed93a3648f776a499c1066684982c7005dc0db89d4d66a9
-
SHA512
37d15adcb74a3b3b55c50e4f3a8ccfc01d205e722a3449f32561a89f580132b4f2954148162d06536ef54ad491312cf03287acd42be226824e57519b76ee43b2
-
SSDEEP
768:9Xr+c5rx86Lk4OC0W+adjB2m1OSTrksK3:96c5qEk4j0TadjKsK3
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0007000000016d52-8.dat acprotect -
Deletes itself 1 IoCs
pid Process 2736 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe -
resource yara_rule behavioral1/memory/2260-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x0007000000016d52-8.dat upx behavioral1/memory/2260-10-0x0000000010000000-0x000000001000F000-memory.dmp upx behavioral1/memory/2260-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2260-12-0x0000000010000000-0x000000001000F000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\b1a18a3e.drv 3bc834ab03c5c22969b41d8f0b5a6df3.exe File opened for modification C:\Windows\SysWOW64\A1A6BC2E.cfg 3bc834ab03c5c22969b41d8f0b5a6df3.exe File opened for modification C:\Windows\SysWOW64\A1A6BC2E.dll 3bc834ab03c5c22969b41d8f0b5a6df3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32 3bc834ab03c5c22969b41d8f0b5a6df3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 3bc834ab03c5c22969b41d8f0b5a6df3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID 3bc834ab03c5c22969b41d8f0b5a6df3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8} 3bc834ab03c5c22969b41d8f0b5a6df3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32 3bc834ab03c5c22969b41d8f0b5a6df3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32\ = "A1A6BC2E.dll" 3bc834ab03c5c22969b41d8f0b5a6df3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32\ThreadingModel = "Apartment" 3bc834ab03c5c22969b41d8f0b5a6df3.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe Token: SeDebugPrivilege 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2736 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe 28 PID 2260 wrote to memory of 2736 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe 28 PID 2260 wrote to memory of 2736 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe 28 PID 2260 wrote to memory of 2736 2260 3bc834ab03c5c22969b41d8f0b5a6df3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bc834ab03c5c22969b41d8f0b5a6df3.exe"C:\Users\Admin\AppData\Local\Temp\3bc834ab03c5c22969b41d8f0b5a6df3.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3BC834~1.EXE >> NUL2⤵
- Deletes itself
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215KB
MD53d851a1dc083afac267caf165e196567
SHA12f92f6c185ecc6149cae90f9444a91d8c0b55631
SHA256577e166f8d778d8a88b88e0ea05d884ff82493ee209868bb1ba9b889b5e66167
SHA512b579885bf1680c823687f24b5018c5e3cf6c1388240e2858426b6acecb45720f95b79afb914768b8b4ca5f9a23c7a17cd1a6996fe229c2708991f3bbb53c99ed