Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 06:05
Behavioral task
behavioral1
Sample
457a65722799fac6bba11e515c45ed05.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
457a65722799fac6bba11e515c45ed05.exe
Resource
win10v2004-20231222-en
General
-
Target
457a65722799fac6bba11e515c45ed05.exe
-
Size
123KB
-
MD5
457a65722799fac6bba11e515c45ed05
-
SHA1
c3f356bd9a0840b430357959a204412fe0ec6117
-
SHA256
6d07f838f68e3fd0958319878ca69a0648acd010b011e9672e92e75a44d2e9b8
-
SHA512
7c5ab9d4297aa4627620fc10450b55edde526fb2e5e03be6247cf33782b1a3b3137ad0eca211c762acbd639b52b88caf4c9d59ff594a2ba8aa28ce5544454463
-
SSDEEP
3072:OeSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLLw:OVYrJrOSsRwcpy
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 2 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo jimddp = "electronic-group" iaccess32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c regedit.exe -
Executes dropped EXE 1 IoCs
pid Process 1816 iaccess32.exe -
Loads dropped DLL 3 IoCs
pid Process 2780 regsvr32.exe 1816 iaccess32.exe 1816 iaccess32.exe -
resource yara_rule behavioral1/memory/2664-7-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-9-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2664-6-0x0000000001D10000-0x0000000001D3E000-memory.dmp upx behavioral1/files/0x000c00000001225c-5.dat upx behavioral1/memory/2664-0-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-77-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-78-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-79-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-81-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-82-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-83-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-85-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-86-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-87-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-88-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-89-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-90-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-91-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-92-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1816-93-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\egaccess4_1071.dll iaccess32.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk iaccess32.exe File opened for modification C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100714090735\Common\module.php iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100714090735\medias\p2e_1_3.gif iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100714090735\medias\p2e_3_3.gif iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100714090735\instant access.exe iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100714090735\medias\p2e.ico iaccess32.exe File opened for modification C:\Program Files (x86)\Instant Access\Multi\20100714090735\dialerexe.ini iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100714090735\medias\p2e_logo_2.gif iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100714090735\medias\p2e_2_3.gif iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100714090735\medias\p2e_go_3.gif iaccess32.exe File created C:\Program Files (x86)\Instant Access\Multi\20100714090735\dialerexe.ini iaccess32.exe File created C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk iaccess32.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\dialexe.zl iaccess32.exe File created C:\Windows\dialexe.epk iaccess32.exe File created C:\Windows\dialerexe.ini iaccess32.exe File created C:\Windows\egdhtm_pack.epk iaccess32.exe File created C:\Windows\iaccess32.exe 457a65722799fac6bba11e515c45ed05.exe File created C:\Windows\tmlpcert2007 iaccess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main iaccess32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iaccess32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iaccess32.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Runs regedit.exe 1 IoCs
pid Process 2000 regedit.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2664 457a65722799fac6bba11e515c45ed05.exe 1816 iaccess32.exe 1816 iaccess32.exe 1816 iaccess32.exe 1816 iaccess32.exe 1816 iaccess32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2664 wrote to memory of 1816 2664 457a65722799fac6bba11e515c45ed05.exe 19 PID 2664 wrote to memory of 1816 2664 457a65722799fac6bba11e515c45ed05.exe 19 PID 2664 wrote to memory of 1816 2664 457a65722799fac6bba11e515c45ed05.exe 19 PID 2664 wrote to memory of 1816 2664 457a65722799fac6bba11e515c45ed05.exe 19 PID 1816 wrote to memory of 2000 1816 iaccess32.exe 17 PID 1816 wrote to memory of 2000 1816 iaccess32.exe 17 PID 1816 wrote to memory of 2000 1816 iaccess32.exe 17 PID 1816 wrote to memory of 2000 1816 iaccess32.exe 17 PID 1816 wrote to memory of 2780 1816 iaccess32.exe 16 PID 1816 wrote to memory of 2780 1816 iaccess32.exe 16 PID 1816 wrote to memory of 2780 1816 iaccess32.exe 16 PID 1816 wrote to memory of 2780 1816 iaccess32.exe 16 PID 1816 wrote to memory of 2780 1816 iaccess32.exe 16 PID 1816 wrote to memory of 2780 1816 iaccess32.exe 16 PID 1816 wrote to memory of 2780 1816 iaccess32.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\457a65722799fac6bba11e515c45ed05.exe"C:\Users\Admin\AppData\Local\Temp\457a65722799fac6bba11e515c45ed05.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\iaccess32.exeC:\Windows\iaccess32.exe2⤵
- Manipulates Digital Signatures
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"1⤵
- Loads dropped DLL
- Modifies registry class
PID:2780
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert20071⤵
- Manipulates Digital Signatures
- Runs regedit.exe
PID:2000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD582d83d4e6dfcf2608cad8e98f94f8c52
SHA1a7eb8b5a73502c3caa521206699dd2ad57599d45
SHA25680211392d91228323fb4cdfe384708629ac2a1c3e80760cb99b4115a9aa61fc5
SHA5121c83e4dd92c0297e9372d7d750a64c3a486ecb0297ae0318c6cdb4da71db953e4180da3837768314c7c36cf2407c031f953ce09a62bff2ca0985fec9d8e88aa4