Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/01/2024, 09:59
Static task
static1
Behavioral task
behavioral1
Sample
02db6c6dd0119ae4dd092c95269ef0fa.exe
Resource
win7-20231215-en
General
-
Target
02db6c6dd0119ae4dd092c95269ef0fa.exe
-
Size
104KB
-
MD5
02db6c6dd0119ae4dd092c95269ef0fa
-
SHA1
0c847bd4af6ef9eb9da384374fb70117be59150d
-
SHA256
1e835832f440f1a949ff14547bfe943013f5211e3d5ad80632048554861d70ee
-
SHA512
b83eef9cd127287da84fc6682b2cf84a1e6961d961fc6b194150ccce15fbdf5dae273a584041d39ffbabb7a55a7e922e43e1be8e67c1dce782360fb31f9d966b
-
SSDEEP
3072:lQ5faGko6CFrbJKARb0WQ9FSE1Fk8jwaaHw7Koj4rgdy:61afCF3IO0WmFR
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\yycueteg\\hfthotkw.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfthotkw.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfthotkw.exe svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2192 ykocqvmdrodvxony.exe -
Loads dropped DLL 4 IoCs
pid Process 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\HftHotkw = "C:\\Users\\Admin\\AppData\\Local\\yycueteg\\hfthotkw.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe Token: SeDebugPrivilege 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe Token: SeSecurityPrivilege 2812 svchost.exe Token: SeSecurityPrivilege 2764 svchost.exe Token: SeDebugPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeSecurityPrivilege 2192 ykocqvmdrodvxony.exe Token: SeLoadDriverPrivilege 2192 ykocqvmdrodvxony.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe Token: SeBackupPrivilege 2764 svchost.exe Token: SeRestorePrivilege 2764 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2812 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 15 PID 2076 wrote to memory of 2812 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 15 PID 2076 wrote to memory of 2812 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 15 PID 2076 wrote to memory of 2812 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 15 PID 2076 wrote to memory of 2812 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 15 PID 2076 wrote to memory of 2812 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 15 PID 2076 wrote to memory of 2812 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 15 PID 2076 wrote to memory of 2812 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 15 PID 2076 wrote to memory of 2812 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 15 PID 2076 wrote to memory of 2812 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 15 PID 2076 wrote to memory of 2764 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 14 PID 2076 wrote to memory of 2764 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 14 PID 2076 wrote to memory of 2764 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 14 PID 2076 wrote to memory of 2764 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 14 PID 2076 wrote to memory of 2764 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 14 PID 2076 wrote to memory of 2764 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 14 PID 2076 wrote to memory of 2764 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 14 PID 2076 wrote to memory of 2764 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 14 PID 2076 wrote to memory of 2764 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 14 PID 2076 wrote to memory of 2764 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 14 PID 2076 wrote to memory of 2192 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 30 PID 2076 wrote to memory of 2192 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 30 PID 2076 wrote to memory of 2192 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 30 PID 2076 wrote to memory of 2192 2076 02db6c6dd0119ae4dd092c95269ef0fa.exe 30
Processes
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
C:\Users\Admin\AppData\Local\Temp\02db6c6dd0119ae4dd092c95269ef0fa.exe"C:\Users\Admin\AppData\Local\Temp\02db6c6dd0119ae4dd092c95269ef0fa.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\ykocqvmdrodvxony.exe"C:\Users\Admin\AppData\Local\Temp\ykocqvmdrodvxony.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5665679f31fd5530f094e7e5b93bc8a46
SHA18fab0b5f6618d8440d35d56cade87aaa826bb485
SHA256a08654b75d3b13a13fac0be1fc219afd8155263472ffdba584f7237e1828ab7d
SHA5124777345b04465d5641c655bef14d703e3bb02a92f0e9cc9bb58488745bcce2aa1f40205e4f7ba383b55505d0c25d58560b7686f1eeed07a3226b7a7087e41936
-
Filesize
92KB
MD52e6a231b86ac967e9ee2ab9273fa5b76
SHA1ceac03d700038f46d9ec4efd38b5154fbf29e3f0
SHA256607b652e527b63d011f2d8d096f4fd7ff7d811954f1a277045ef3672a0e96e3d
SHA512143a143f94a9675087c331e535aa6c828c8250e2a3dd1c8b5679f42c5d3a7def4a41715e3de42599a20b4e72e88f3973d0a580d716b795dc8f2bbf1d9035d5d2
-
Filesize
76KB
MD5b2d9008940c1422c0619e9b6e14bd22a
SHA1eb23a9f00b2e9d8405f721451daf2f6294664d87
SHA256e7ce36fdd8cbb0e5a9b2ceefa59cc3960cb2c01436af9bd9a7650d9f5096376a
SHA512151ae83bf582bf4385c8064c854e153e64b8634f502896158e67e39835d386dcdd966a071082ef6d237dc6a1fb5099d89fd21bfdd051835fd3f6b92253654036
-
Filesize
104KB
MD502db6c6dd0119ae4dd092c95269ef0fa
SHA10c847bd4af6ef9eb9da384374fb70117be59150d
SHA2561e835832f440f1a949ff14547bfe943013f5211e3d5ad80632048554861d70ee
SHA512b83eef9cd127287da84fc6682b2cf84a1e6961d961fc6b194150ccce15fbdf5dae273a584041d39ffbabb7a55a7e922e43e1be8e67c1dce782360fb31f9d966b