Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/01/2024, 11:42
Static task
static1
Behavioral task
behavioral1
Sample
40c4b11105db1386e30bc870183a6499.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
40c4b11105db1386e30bc870183a6499.exe
Resource
win10v2004-20231215-en
General
-
Target
40c4b11105db1386e30bc870183a6499.exe
-
Size
354KB
-
MD5
40c4b11105db1386e30bc870183a6499
-
SHA1
c91b01612d0a67a9200a6f0780d554a5c1e321fd
-
SHA256
ec93dd2c8432d31d3be69a3538a20fd344090246dd7289a2db829d9048ce9b5e
-
SHA512
70fb8f93c6c48cd890990ccb3a8ae85851ba44e94c294cf4aa1760bcdc20daae3e77ad381fbb699e1eb473223643d518f0c47a8955d9f1d700ace5128a575c59
-
SSDEEP
6144:I2pRrUqddTQZokHv1rQJvnRIAYjY35AiZkpoks5UF1Sf5jGPW2LdMgDbq6nk1/3i:IqUudBkP1UJZIIJpkDrF1SoP/dTBk1/3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\899c4414\\X" Explorer.EXE -
Deletes itself 1 IoCs
pid Process 1100 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 336 csrss.exe 2736 X -
Loads dropped DLL 2 IoCs
pid Process 2436 40c4b11105db1386e30bc870183a6499.exe 2436 40c4b11105db1386e30bc870183a6499.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2436 set thread context of 1100 2436 40c4b11105db1386e30bc870183a6499.exe 31 -
Modifies registry class 3 IoCs
description ioc Process Key created \registry\machine\Software\Classes\Interface\{c96b3a43-c658-568e-e4a7-36c2600cc942} 40c4b11105db1386e30bc870183a6499.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c96b3a43-c658-568e-e4a7-36c2600cc942}\u = "73" 40c4b11105db1386e30bc870183a6499.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c96b3a43-c658-568e-e4a7-36c2600cc942}\cid = "7465635361227439653" 40c4b11105db1386e30bc870183a6499.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2436 40c4b11105db1386e30bc870183a6499.exe 2436 40c4b11105db1386e30bc870183a6499.exe 2436 40c4b11105db1386e30bc870183a6499.exe 2436 40c4b11105db1386e30bc870183a6499.exe 2736 X -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2436 40c4b11105db1386e30bc870183a6499.exe Token: SeDebugPrivilege 2436 40c4b11105db1386e30bc870183a6499.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 336 csrss.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2436 wrote to memory of 1272 2436 40c4b11105db1386e30bc870183a6499.exe 16 PID 2436 wrote to memory of 336 2436 40c4b11105db1386e30bc870183a6499.exe 1 PID 336 wrote to memory of 2716 336 csrss.exe 28 PID 336 wrote to memory of 2716 336 csrss.exe 28 PID 336 wrote to memory of 2680 336 csrss.exe 29 PID 336 wrote to memory of 2680 336 csrss.exe 29 PID 2436 wrote to memory of 2736 2436 40c4b11105db1386e30bc870183a6499.exe 30 PID 2436 wrote to memory of 2736 2436 40c4b11105db1386e30bc870183a6499.exe 30 PID 2436 wrote to memory of 2736 2436 40c4b11105db1386e30bc870183a6499.exe 30 PID 2436 wrote to memory of 2736 2436 40c4b11105db1386e30bc870183a6499.exe 30 PID 2736 wrote to memory of 1272 2736 X 16 PID 2436 wrote to memory of 1100 2436 40c4b11105db1386e30bc870183a6499.exe 31 PID 2436 wrote to memory of 1100 2436 40c4b11105db1386e30bc870183a6499.exe 31 PID 2436 wrote to memory of 1100 2436 40c4b11105db1386e30bc870183a6499.exe 31 PID 2436 wrote to memory of 1100 2436 40c4b11105db1386e30bc870183a6499.exe 31 PID 2436 wrote to memory of 1100 2436 40c4b11105db1386e30bc870183a6499.exe 31
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\40c4b11105db1386e30bc870183a6499.exe"C:\Users\Admin\AppData\Local\Temp\40c4b11105db1386e30bc870183a6499.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\899c4414\X176.53.17.23:803⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
PID:1100
-
-
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:2716
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD507b881dd4b7648b78671e15221d5f4a3
SHA1d27183d32a5e18b6580af5922c2217dd31280a6b
SHA256d0a323c0edf7a82cb13089ecc3f5e8d30c4506da23df340f28845e841f29e5fc
SHA51299c368f6b7f05f023309dc9a2c5fbdd5ded2e9b87b41e89386a0c5b6c80145f61585605e42602c1c4a23c9847562f55f17ae8f7cdde7a019345b6595b227c403
-
Filesize
41KB
MD5686b479b0ee164cf1744a8be359ebb7d
SHA18615e8f967276a85110b198d575982a958581a07
SHA256fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b
SHA5127ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64
-
Filesize
31KB
MD5dafc4a53954b76c5db1d857e955f3805
SHA1a18fa0d38c6656b4398953e77e87eec3b0209ef3
SHA256c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b
SHA512745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633
-
Filesize
2KB
MD517d0965c79a3343117c6fbee55f41896
SHA14b52d08815f293e2bab458b494ce8819943677b5
SHA256f5f63222ae7af6e011aa450283bd389943acf33cce14a0536e8d7ce0d8ebc0a6
SHA512412ab8d83aa9ff26638cfa69d3d09a88f6f1e9f5ac2d5465e49ffd15db2592231f2913d4b6d3c1ed22bb72f6325a92a5afb74154a51553d23467825763ec5ea1