Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 22:48
Behavioral task
behavioral1
Sample
475e87bb7b1047b1a965552d3a8781a7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
475e87bb7b1047b1a965552d3a8781a7.exe
Resource
win10v2004-20231222-en
General
-
Target
475e87bb7b1047b1a965552d3a8781a7.exe
-
Size
227KB
-
MD5
475e87bb7b1047b1a965552d3a8781a7
-
SHA1
4f5c49574e7a25b764790e42c7904536a3eb512b
-
SHA256
e68deba0d2497a138ce521312732925a031593f9af08d518b20eb794a6f8ecac
-
SHA512
fd49b21902d3b6e2a9cc690243663738ceac65095aaab59580e15bbd928e1c2c189bee83b8b4876090fdf1a2dbbe9a91a143fb9c56c4e04f5cd6a78d20fdad76
-
SSDEEP
3072:MbQi390ezV3Q7RcaDryukKLeC1TkGNmCjxqX/fI/x0s29ygBqQkmDRK:MR39JsXryukHCRXmCjxqX3LZBOE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2716 Mfequa.exe -
resource yara_rule behavioral1/memory/2672-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/files/0x00070000000146c1-8.dat upx behavioral1/memory/2716-9-0x0000000000400000-0x000000000043B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\2SPI9KEA4C = "C:\\Windows\\Mfequa.exe" Mfequa.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Mfequa.exe 475e87bb7b1047b1a965552d3a8781a7.exe File opened for modification C:\Windows\Mfequa.exe 475e87bb7b1047b1a965552d3a8781a7.exe File created C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 475e87bb7b1047b1a965552d3a8781a7.exe File opened for modification C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job 475e87bb7b1047b1a965552d3a8781a7.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main Mfequa.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\International Mfequa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe 2716 Mfequa.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2672 475e87bb7b1047b1a965552d3a8781a7.exe 2716 Mfequa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2716 2672 475e87bb7b1047b1a965552d3a8781a7.exe 28 PID 2672 wrote to memory of 2716 2672 475e87bb7b1047b1a965552d3a8781a7.exe 28 PID 2672 wrote to memory of 2716 2672 475e87bb7b1047b1a965552d3a8781a7.exe 28 PID 2672 wrote to memory of 2716 2672 475e87bb7b1047b1a965552d3a8781a7.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\475e87bb7b1047b1a965552d3a8781a7.exe"C:\Users\Admin\AppData\Local\Temp\475e87bb7b1047b1a965552d3a8781a7.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\Mfequa.exeC:\Windows\Mfequa.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
227KB
MD5475e87bb7b1047b1a965552d3a8781a7
SHA14f5c49574e7a25b764790e42c7904536a3eb512b
SHA256e68deba0d2497a138ce521312732925a031593f9af08d518b20eb794a6f8ecac
SHA512fd49b21902d3b6e2a9cc690243663738ceac65095aaab59580e15bbd928e1c2c189bee83b8b4876090fdf1a2dbbe9a91a143fb9c56c4e04f5cd6a78d20fdad76
-
Filesize
344B
MD5cf121aebdb372752f50fe482d8f85d86
SHA158998e5e48b249bc8ca3879a29bbc9ed8a199b6a
SHA25635e967cd24702d08d571210f00b8f13012b01feac6978cfa61e48a17d8e2d904
SHA5122fb1f21f32a97f19ed6cf580aa048e0201c40ee83e4dfa6e5d0736cae85137668026bebf549d5600543ebf699da29ad6963b1af806d4ca51f4885b7a987516f0