Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05/01/2024, 13:19
Behavioral task
behavioral1
Sample
43c890dd552a388b19fa9878f6f40600.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
43c890dd552a388b19fa9878f6f40600.exe
Resource
win10v2004-20231222-en
General
-
Target
43c890dd552a388b19fa9878f6f40600.exe
-
Size
123KB
-
MD5
43c890dd552a388b19fa9878f6f40600
-
SHA1
7c9eedaa64c1de8b80767c0146dcdcfd85706203
-
SHA256
39a867c9577b630dba0faeacecefab805c5f0900c4bfd948c09b2abeca337b37
-
SHA512
905cc8a8170d3ee6b0b12c178c0cb34888962eb8fc1f03d8c83d520d4b264273dd92716ab8802c84617aac31355a0b329c58e2a16ecd10893c3a845e6b5ca93c
-
SSDEEP
3072:OeSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLLUnz0:OVYrJrOSsRwcpCI
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 2 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo jimddp = "electronic-group" iaccess32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c regedit.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00060000000142bc-31.dat acprotect behavioral1/files/0x00060000000142bc-30.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 1444 iaccess32.exe -
Loads dropped DLL 1 IoCs
pid Process 2276 regsvr32.exe -
resource yara_rule behavioral1/memory/1444-9-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/files/0x00070000000141f1-51.dat upx behavioral1/files/0x00070000000141f1-43.dat upx behavioral1/memory/2276-32-0x0000000010000000-0x0000000010047000-memory.dmp upx behavioral1/files/0x00060000000142bc-31.dat upx behavioral1/files/0x00060000000142bc-30.dat upx behavioral1/files/0x000a0000000126af-11.dat upx behavioral1/files/0x000a0000000126af-8.dat upx behavioral1/memory/2948-7-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/files/0x000a0000000126af-6.dat upx behavioral1/memory/2948-3-0x00000000002A0000-0x00000000002CE000-memory.dmp upx behavioral1/memory/2948-0-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1444-86-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\egaccess4_1071.dll iaccess32.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e_2_3.gif iaccess32.exe File opened for modification C:\Program Files (x86)\Instant Access\Multi\20100713110702\dialerexe.ini iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100713110702\instant access.exe iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100713110702\Common\module.php iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e_logo_2.gif iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e_1_3.gif iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e_go_3.gif iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e_3_3.gif iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100713110702\medias\p2e.ico iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100713110702\dialerexe.ini iaccess32.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\egdhtm_pack.epk iaccess32.exe File created C:\Windows\iaccess32.exe 43c890dd552a388b19fa9878f6f40600.exe File created C:\Windows\tmlpcert2007 iaccess32.exe File created C:\Windows\dialexe.zl iaccess32.exe File created C:\Windows\dialexe.epk iaccess32.exe File created C:\Windows\dialerexe.ini iaccess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Runs regedit.exe 1 IoCs
pid Process 2872 regedit.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2948 43c890dd552a388b19fa9878f6f40600.exe 1444 iaccess32.exe 1444 iaccess32.exe 1444 iaccess32.exe 1444 iaccess32.exe 1444 iaccess32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2948 wrote to memory of 1444 2948 43c890dd552a388b19fa9878f6f40600.exe 19 PID 2948 wrote to memory of 1444 2948 43c890dd552a388b19fa9878f6f40600.exe 19 PID 2948 wrote to memory of 1444 2948 43c890dd552a388b19fa9878f6f40600.exe 19 PID 2948 wrote to memory of 1444 2948 43c890dd552a388b19fa9878f6f40600.exe 19 PID 1444 wrote to memory of 2872 1444 iaccess32.exe 16 PID 1444 wrote to memory of 2872 1444 iaccess32.exe 16 PID 1444 wrote to memory of 2872 1444 iaccess32.exe 16 PID 1444 wrote to memory of 2872 1444 iaccess32.exe 16 PID 1444 wrote to memory of 2276 1444 iaccess32.exe 17 PID 1444 wrote to memory of 2276 1444 iaccess32.exe 17 PID 1444 wrote to memory of 2276 1444 iaccess32.exe 17 PID 1444 wrote to memory of 2276 1444 iaccess32.exe 17 PID 1444 wrote to memory of 2276 1444 iaccess32.exe 17 PID 1444 wrote to memory of 2276 1444 iaccess32.exe 17 PID 1444 wrote to memory of 2276 1444 iaccess32.exe 17
Processes
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert20071⤵
- Manipulates Digital Signatures
- Runs regedit.exe
PID:2872
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"1⤵
- Loads dropped DLL
- Modifies registry class
PID:2276
-
C:\Windows\iaccess32.exeC:\Windows\iaccess32.exe1⤵
- Manipulates Digital Signatures
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
-
C:\Users\Admin\AppData\Local\Temp\43c890dd552a388b19fa9878f6f40600.exe"C:\Users\Admin\AppData\Local\Temp\43c890dd552a388b19fa9878f6f40600.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
587B
MD56b0793b050af5e5cd85f722faa56842a
SHA10ec6597581b8526f97e40fd33a64bedd7598377c
SHA256e7c2d2ab0c3963dfe758d1ab748e9dd9d5ed2369492fa41c9863bbcd9ec14518
SHA51224a3af5439750712ea591b51fc548a1efb925c8b5cc76efefb07702e7fb625628825851c541b788e356ab6e99502ba9db66e5f67e13d3eadea10d1c16f43df8c
-
Filesize
2KB
MD5418148b3214b65c31d222ef89035afbb
SHA1f046dbb31858177b9c19ceae90e07f5a31971379
SHA2563afc0736b2c4924ca22b8097f8af32fca88c199a5adae40b20d92928b076bdc3
SHA5126ead79bdad26a11b0183de4d6f480130fd9b08b50610c06f3e01a20290c070e8c581e0b08c6ee9562d3de8e8176c8c717c4115d70d2644b2f29b32d905c9f258
-
Filesize
18KB
MD56f6537f3f271ea9e9c68fd48e13a4c8e
SHA135b1505fb65f670bc3dd9791ba122dd5991e088f
SHA256356185c84104e97fdc5838d2659895a7420b22dc6ecd39187f0b4fc59a706be1
SHA512bdf49ed6b67fa24cbf952fcae6374b4de7e09b8c3115812f457a426e9c1094c0fcf32da030fd5cd25ae9e3db4d367b6c5f5f94b360090a7fd342387cf1beea66
-
Filesize
13KB
MD5edfaab0c1f36aa609d61a73bb5f7be3c
SHA1a8d8503a01bc73b99c7f57f298e0c6532408b0b8
SHA256ed2d39c6e29175b23ece03899cd912da7483cbc9a9031673113b71b88b7e22f3
SHA5124980778e03f79f521dfa7232d139d1db2762d9c67b482b8cbac0be28f6e819dbe392fa676fd5220108c45e4d2e9c6e02f2f5780975e5f419320e9b27e664d0f1
-
Filesize
58KB
MD5bfe2cad99f6417f9e726d028d63a3c0f
SHA1248fa9e7fe2ce770aa75862415abbdfda8f2ac6b
SHA25604508fd71d93c4c14ff0dd477c4c71bb9fe3cbf8788b059440e73d2311ed28df
SHA512d716b9e669bdf13009002f3fdd902a315363a20fde35df9adece412caf77261fb095c2df3ffcead3f59278f2b25c1e94fc5868967ddf78908260329cbe4750f7
-
Filesize
5KB
MD58d097b317d6e4aacd0ea9addca5ef291
SHA1c161ba6fd9ec5eba1924ffa25141783ecadf53a9
SHA25699bf870eb0e5a1f7bd68bcc2d046f3810f81bb82217247756ecd27fd006c8794
SHA51227b5e20371768c8f46a3ceb860bcfd91953db318ec77be208edb21d65390de2adac680f7242733a908d33a88b7f49d6e6179e7e844562b0829e512b6400d95fe
-
Filesize
29KB
MD54c7b3b30ba4e7f00fb57eb8bfe07e6dc
SHA10847cee00b3e2a9a915468bba86860573d0eb5d4
SHA256e5fb0524fa6b31ec2714c6bb8a57abe260d29afce0578ca46a05b24b7ee38d3f
SHA512242a96a895b7874ef1b33d16ef6e538f7cb6fe647797d4c05c464d0f3376503ef003aaa0d85a78fcf6266ac1032e2ba2c56b501edcc3ce68a417c3a140cd93f0
-
Filesize
1KB
MD56040b1dd431aefe5a915b1401f6b44e8
SHA172140d40d5162b23bc6eb38c0a965ec1479d8d7a
SHA256559c864cc707fcce923d32975464ff9a53cfae447c6a5d30d0b5de1315cfb697
SHA512104473c0297e7b555deb85486604b05682e90356bd39c56c69beb6d1dc0312098bc48ea55c9ac87f16a79d81d267be5348d1fb9bb69b09c0413b90ad7f0dfdb9
-
Filesize
12KB
MD5e4906f60b4fbc103ea326e6acdde6e9c
SHA1f662e7a1f9515e9d3cdf15ead33369da61d133f2
SHA256846a4e75dd685e518c086885cc0c6b6a66d4480349b7a9e83a64c01d30c5a690
SHA512db9932256d71149ab40412f8f9a408a63c29a2eab4d29401fc302e3455467d79b75c46d547246b146dbfe7677c64c1238d6e8cc0291265dc076cf7c2e80f0f96
-
Filesize
32KB
MD555d36db08c888cd8207d3f3d56ab9462
SHA1f3eddbca7b45b3d8b7fe4925cc219b46620cb66d
SHA2569453fcbadf6f0c45822f1965734c91b54256d8841f9924845c71770a3c637370
SHA512d742c9dec2e05d64da90220b779fc9781f610e12b10d94db45243611bd4f945095aca7a85a52dceeefa681c294a2657a7564e7b60715e09d02d33a8bc9f5c8ff