Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 12:08
Static task
static1
Behavioral task
behavioral1
Sample
46315b54912739075d98433897e86ecd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
46315b54912739075d98433897e86ecd.exe
Resource
win10v2004-20231215-en
General
-
Target
46315b54912739075d98433897e86ecd.exe
-
Size
367KB
-
MD5
46315b54912739075d98433897e86ecd
-
SHA1
34d12821cca2589b80d9b5d2c235375563b1b6a0
-
SHA256
a55b2334334dd206aceea6719cf7ec3bac9b325d84f0607e65f4a3f88b57161e
-
SHA512
db233bd3bcb55f9504fec776da6df83bac98f6915133ce3dc62aa29de313b9c247dfdbd1164f435ecce337357402e2fc9b05250e7d3f86f316047742ebc51eef
-
SSDEEP
6144:R/kFr0H89gBk+0AS7qHcrymVwAiO2QVmJYtXbwp0UsaIJT+vybUxGknqwwc2j:R/kpj9wen7q8rzRVmetXbw6UsZWybcn2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2828 winupgrade.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ime\winupgrade.exe 46315b54912739075d98433897e86ecd.exe File opened for modification C:\Windows\ime\winupgrade.exe 46315b54912739075d98433897e86ecd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Enable Browser Extensions = "no" winupgrade.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "no" winupgrade.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no" winupgrade.exe Key created \REGISTRY\USER\.DEFAULT\SoftWare\Microsoft\Internet Explorer\New Windows winupgrade.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\New Windows\PopupMgr = "no" winupgrade.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main winupgrade.exe -
Modifies registry class 34 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "open" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\ = "open" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\ = "open" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\open\command winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32 winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\ = "open" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\ = "open" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\open winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\ = "open" winupgrade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\command winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\file\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" \"%1\"" winupgrade.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2088 46315b54912739075d98433897e86ecd.exe 2088 46315b54912739075d98433897e86ecd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2088 wrote to memory of 340 2088 46315b54912739075d98433897e86ecd.exe 28 PID 2088 wrote to memory of 340 2088 46315b54912739075d98433897e86ecd.exe 28 PID 2088 wrote to memory of 340 2088 46315b54912739075d98433897e86ecd.exe 28 PID 2088 wrote to memory of 340 2088 46315b54912739075d98433897e86ecd.exe 28 PID 340 wrote to memory of 2440 340 net.exe 30 PID 340 wrote to memory of 2440 340 net.exe 30 PID 340 wrote to memory of 2440 340 net.exe 30 PID 340 wrote to memory of 2440 340 net.exe 30 PID 2088 wrote to memory of 2040 2088 46315b54912739075d98433897e86ecd.exe 33 PID 2088 wrote to memory of 2040 2088 46315b54912739075d98433897e86ecd.exe 33 PID 2088 wrote to memory of 2040 2088 46315b54912739075d98433897e86ecd.exe 33 PID 2088 wrote to memory of 2040 2088 46315b54912739075d98433897e86ecd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\46315b54912739075d98433897e86ecd.exe"C:\Users\Admin\AppData\Local\Temp\46315b54912739075d98433897e86ecd.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\net.exenet stop McShield2⤵
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield3⤵PID:2440
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ieflux.exe_deleteme.bat2⤵PID:2040
-
-
C:\Windows\ime\winupgrade.exeC:\Windows\ime\winupgrade.exe1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD5bfcaeabfbce998e551827934f9cab4ad
SHA13a91d41d9d42b737bdb82f59b3867d3b4ef27035
SHA2561813f05035373247df14aeb946d7a38183cd78e9d6ed1f637b45eaff537b382a
SHA5125a393fc6e5cd0004b8c559b5dbbbc6903c4df29e27df3a4fe26bb8ad40b860f51d10152d7ebf002de6772448411edf3838626c34ce5d2265aa6a9703809831db
-
Filesize
653KB
MD5dd83adadfa69e555fbffaa2dafd119da
SHA14d2872c6a5ebe237ce28254cf0a9315616016136
SHA2562f4a65fecb7195a982b1463002e06324bab25069f65eb1884c45e174c8563280
SHA512962b88f246a1f3f1c4e38874538fcabfac653a4c4c11e4905abcbbc4b0a75cbf68b9386f05bec189ef90221e08c55908b4181c6aaf8d2b9b4c8a39332e3e71cd