Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01/01/2024, 17:46
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
7 signatures
150 seconds
General
-
Target
file.exe
-
Size
80KB
-
MD5
8d9e7695b942e570f84564345d736762
-
SHA1
e16022d7b4a5051c4bff6f8f23cf29ab0811c845
-
SHA256
b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462
-
SHA512
4031d726322cbb14ae84e60591d9c493495cf54e0028c86b3e1789b9885fce1fa577a47a5a1b5ca311b78e8b405f0d0149e44317d5e414d3e3e91d21dcf5f25f
-
SSDEEP
1536:P3Mz85SRJP1sW7jeWkfp52S2QyS9QafFFUheeeeeeeeWeeeee:kw5gPiOjeDxb2QyS9QafFF
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syspolrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syspolrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syspolrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syspolrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syspolrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syspolrvcs.exe -
Executes dropped EXE 3 IoCs
pid Process 1592 syspolrvcs.exe 2756 290462860.exe 2152 2434528534.exe -
Loads dropped DLL 2 IoCs
pid Process 1592 syspolrvcs.exe 1592 syspolrvcs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syspolrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syspolrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syspolrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" syspolrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syspolrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syspolrvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syspolrvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syspolrvcs.exe" file.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\syspolrvcs.exe file.exe File opened for modification C:\Windows\syspolrvcs.exe file.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1592 1956 file.exe 28 PID 1956 wrote to memory of 1592 1956 file.exe 28 PID 1956 wrote to memory of 1592 1956 file.exe 28 PID 1956 wrote to memory of 1592 1956 file.exe 28 PID 1592 wrote to memory of 2756 1592 syspolrvcs.exe 31 PID 1592 wrote to memory of 2756 1592 syspolrvcs.exe 31 PID 1592 wrote to memory of 2756 1592 syspolrvcs.exe 31 PID 1592 wrote to memory of 2756 1592 syspolrvcs.exe 31 PID 1592 wrote to memory of 2152 1592 syspolrvcs.exe 32 PID 1592 wrote to memory of 2152 1592 syspolrvcs.exe 32 PID 1592 wrote to memory of 2152 1592 syspolrvcs.exe 32 PID 1592 wrote to memory of 2152 1592 syspolrvcs.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\syspolrvcs.exeC:\Windows\syspolrvcs.exe2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\290462860.exeC:\Users\Admin\AppData\Local\Temp\290462860.exe3⤵
- Executes dropped EXE
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\2434528534.exeC:\Users\Admin\AppData\Local\Temp\2434528534.exe3⤵
- Executes dropped EXE
PID:2152
-
-