Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 10:00
Static task
static1
Behavioral task
behavioral1
Sample
48acc010b209323240e80238063b8164.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
48acc010b209323240e80238063b8164.exe
Resource
win10v2004-20231215-en
General
-
Target
48acc010b209323240e80238063b8164.exe
-
Size
108KB
-
MD5
48acc010b209323240e80238063b8164
-
SHA1
db8c5fe801534cc103a5519a9389f82be4b028b7
-
SHA256
eb065579378f04e903c23fe185d1f38fb0627fa34f7ae7f9d660b2f15cc2eed0
-
SHA512
467b6f80f5e80f911c7ab2002968d6b2300d040d8801272d695b0fbf0d565d5010351235b801b5f0094cb44976995e9edbaf8a55569349c7330a94a7137e608f
-
SSDEEP
1536:mjLaMv3xnCwNz0DxkJ0PpKtzz0imm6g5ckJUD1LZ38hqiDsIxI9He2q0T6ow4U6:meYBCwqDxkJKpqjoOklZ4DzI02DHwa
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\szwtvt64.sys Setup.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0007000000014ba6-13.dat acprotect behavioral1/files/0x0007000000014b5b-20.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 2036 Setup.exe -
Loads dropped DLL 12 IoCs
pid Process 1652 48acc010b209323240e80238063b8164.exe 2036 Setup.exe 2036 Setup.exe 2036 Setup.exe 2036 Setup.exe 2036 Setup.exe 2460 regsvr32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 1652 48acc010b209323240e80238063b8164.exe -
resource yara_rule behavioral1/files/0x0007000000014ba6-13.dat upx behavioral1/files/0x0007000000014b5b-20.dat upx behavioral1/memory/2460-25-0x0000000010000000-0x0000000010017000-memory.dmp upx behavioral1/memory/2292-33-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral1/memory/1652-35-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral1/memory/2292-36-0x0000000010000000-0x000000001001E000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\wintvt64.dll Setup.exe File opened for modification C:\Windows\SysWOW64\wintvt64.dll Setup.exe File created C:\Windows\SysWOW64\szwtvt64.dll Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2120 2460 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2292 rundll32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2292 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2292 rundll32.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1652 wrote to memory of 2036 1652 48acc010b209323240e80238063b8164.exe 28 PID 1652 wrote to memory of 2036 1652 48acc010b209323240e80238063b8164.exe 28 PID 1652 wrote to memory of 2036 1652 48acc010b209323240e80238063b8164.exe 28 PID 1652 wrote to memory of 2036 1652 48acc010b209323240e80238063b8164.exe 28 PID 1652 wrote to memory of 2036 1652 48acc010b209323240e80238063b8164.exe 28 PID 1652 wrote to memory of 2036 1652 48acc010b209323240e80238063b8164.exe 28 PID 1652 wrote to memory of 2036 1652 48acc010b209323240e80238063b8164.exe 28 PID 2036 wrote to memory of 2460 2036 Setup.exe 29 PID 2036 wrote to memory of 2460 2036 Setup.exe 29 PID 2036 wrote to memory of 2460 2036 Setup.exe 29 PID 2036 wrote to memory of 2460 2036 Setup.exe 29 PID 2036 wrote to memory of 2460 2036 Setup.exe 29 PID 2036 wrote to memory of 2460 2036 Setup.exe 29 PID 2036 wrote to memory of 2460 2036 Setup.exe 29 PID 2460 wrote to memory of 2120 2460 regsvr32.exe 30 PID 2460 wrote to memory of 2120 2460 regsvr32.exe 30 PID 2460 wrote to memory of 2120 2460 regsvr32.exe 30 PID 2460 wrote to memory of 2120 2460 regsvr32.exe 30 PID 2460 wrote to memory of 2120 2460 regsvr32.exe 30 PID 2460 wrote to memory of 2120 2460 regsvr32.exe 30 PID 2460 wrote to memory of 2120 2460 regsvr32.exe 30 PID 2036 wrote to memory of 2292 2036 Setup.exe 31 PID 2036 wrote to memory of 2292 2036 Setup.exe 31 PID 2036 wrote to memory of 2292 2036 Setup.exe 31 PID 2036 wrote to memory of 2292 2036 Setup.exe 31 PID 2036 wrote to memory of 2292 2036 Setup.exe 31 PID 2036 wrote to memory of 2292 2036 Setup.exe 31 PID 2036 wrote to memory of 2292 2036 Setup.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\48acc010b209323240e80238063b8164.exe"C:\Users\Admin\AppData\Local\Temp\48acc010b209323240e80238063b8164.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\hostA\Setup.exe"C:\Users\Admin\AppData\Local\Temp\hostA\Setup.exe" 48acc010b209323240e80238063b8164 /s2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\system32\wintvt64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 2924⤵
- Program crash
PID:2120
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\system32\szwtvt64.dll",StartByHostEx3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2292
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5f0ed35df7868e035ef4d24f4ed2275df
SHA10311ced9b0fc9d48cbca3c82a20e6a69ad634224
SHA256c29aacebd737d8dc4a04ede748feb2015653e5be849df503116579be877c4a1f
SHA5129996bcc542e42b44c77a0577710320330781499a82a75f1d2a485c12426e6662266f1cf350b899ed346509f3949e97734fdc0847703c41eeecc8c707200ccc2c
-
Filesize
31KB
MD5dc7a726988c0fd975c6289f4a10f7f4a
SHA16d1ac62e4cf452e750e8280e52a0289815a91fe0
SHA2562590fbb815f0ff0ad462d97bc888ec444d3f96f33b8b9b03d3201d4c5d19117e
SHA512282c052261341e0523a2424784b2fafa32250fce2b8bdc4a399bf52ddf3f3fe00a6f29b9098e8c3362cc073c7498a368ebf4b5c1725fbb195372c369afe7b7b3
-
Filesize
32KB
MD54b9c0a72a21e2302499f9205691d4d97
SHA1c832ead6f4e0e8850246072920ed05891d8adcfc
SHA2567dea44ae86ac4217c78a6ce3a662dc74c26a5b7ed8dfcb381acb7f70629def40
SHA512989ddca552974b919d892d3fb7b30ff252dac55e06a9f6dd173982537fb48ea581ba96f40d099f8f9149b294ff7444ba245f11deabf60ca2b65cf2199b049827
-
Filesize
44KB
MD5662efb61c90b91e9bccc9b88c47b8514
SHA149bf37470ffe9ee5beb66a872212a533365d5b1b
SHA25658bedb0c116624d77201fa0d6baf6211da9c7071ea239ce1e6040d1026f3005a
SHA5124bf7e8634fcc8f153392d08704ce22f48720321d724a8efbd3c35be63d5c2842fca94163c1e156a03606c4ec6c801deaed5982ff7487b38c54b289a715511939