Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:40
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ac73d3ab2ca930996226857a8cfdbffa.exe
Resource
win7-20231215-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
ac73d3ab2ca930996226857a8cfdbffa.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
ac73d3ab2ca930996226857a8cfdbffa.exe
-
Size
512KB
-
MD5
ac73d3ab2ca930996226857a8cfdbffa
-
SHA1
74b5bc3ac9e2b076f172d7ecc448a145942773dc
-
SHA256
a597e3296b3e0adbb6a791ba706fe456522452eaea594533de7c8fff3942cdd4
-
SHA512
ec16405c62f51053d74c1e619015344fb50f36b798c57b52569bd9042da112395ab487f367a05c0ea7597d8903a1ebe421c1894345bebc75f5a1a3a83c247db3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pyftfsxbsj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pyftfsxbsj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pyftfsxbsj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pyftfsxbsj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pyftfsxbsj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pyftfsxbsj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" pyftfsxbsj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pyftfsxbsj.exe -
Executes dropped EXE 4 IoCs
pid Process 2756 pyftfsxbsj.exe 2836 dzqasmrrlvztoti.exe 2720 sgsajdkx.exe 2744 cinvlzccqqhop.exe -
Loads dropped DLL 4 IoCs
pid Process 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pyftfsxbsj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pyftfsxbsj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pyftfsxbsj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pyftfsxbsj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pyftfsxbsj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" pyftfsxbsj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pyftfsxbsj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pyftfsxbsj.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1736-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\pyftfsxbsj.exe ac73d3ab2ca930996226857a8cfdbffa.exe File created C:\Windows\SysWOW64\dzqasmrrlvztoti.exe ac73d3ab2ca930996226857a8cfdbffa.exe File opened for modification C:\Windows\SysWOW64\dzqasmrrlvztoti.exe ac73d3ab2ca930996226857a8cfdbffa.exe File created C:\Windows\SysWOW64\sgsajdkx.exe ac73d3ab2ca930996226857a8cfdbffa.exe File opened for modification C:\Windows\SysWOW64\sgsajdkx.exe ac73d3ab2ca930996226857a8cfdbffa.exe File created C:\Windows\SysWOW64\cinvlzccqqhop.exe ac73d3ab2ca930996226857a8cfdbffa.exe File opened for modification C:\Windows\SysWOW64\cinvlzccqqhop.exe ac73d3ab2ca930996226857a8cfdbffa.exe File created C:\Windows\SysWOW64\pyftfsxbsj.exe ac73d3ab2ca930996226857a8cfdbffa.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf ac73d3ab2ca930996226857a8cfdbffa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pyftfsxbsj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pyftfsxbsj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pyftfsxbsj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432D089C5682206A4377D3772E2CDC7CF664AA" ac73d3ab2ca930996226857a8cfdbffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8F9BEFE17F19884083B3581993E93B0FA038B4262023DE1B8459D08A3" ac73d3ab2ca930996226857a8cfdbffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C60914E4DBB1B8B97FE7ED9634BC" ac73d3ab2ca930996226857a8cfdbffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pyftfsxbsj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pyftfsxbsj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pyftfsxbsj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pyftfsxbsj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pyftfsxbsj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pyftfsxbsj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFF8E482E82689134D62D7D96BDEEE6335846674F6331D6EB" ac73d3ab2ca930996226857a8cfdbffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB1FE1D21DCD273D1A98B7E9110" ac73d3ab2ca930996226857a8cfdbffa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pyftfsxbsj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ac73d3ab2ca930996226857a8cfdbffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B12D449439E353C4BAD6329ED4CE" ac73d3ab2ca930996226857a8cfdbffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pyftfsxbsj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pyftfsxbsj.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 2756 pyftfsxbsj.exe 2756 pyftfsxbsj.exe 2756 pyftfsxbsj.exe 2756 pyftfsxbsj.exe 2756 pyftfsxbsj.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 2756 pyftfsxbsj.exe 2756 pyftfsxbsj.exe 2756 pyftfsxbsj.exe 2836 dzqasmrrlvztoti.exe 2836 dzqasmrrlvztoti.exe 2836 dzqasmrrlvztoti.exe 2720 sgsajdkx.exe 2720 sgsajdkx.exe 2720 sgsajdkx.exe 2744 cinvlzccqqhop.exe 2744 cinvlzccqqhop.exe 2744 cinvlzccqqhop.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 2756 pyftfsxbsj.exe 2756 pyftfsxbsj.exe 2756 pyftfsxbsj.exe 2836 dzqasmrrlvztoti.exe 2836 dzqasmrrlvztoti.exe 2836 dzqasmrrlvztoti.exe 2720 sgsajdkx.exe 2720 sgsajdkx.exe 2720 sgsajdkx.exe 2744 cinvlzccqqhop.exe 2744 cinvlzccqqhop.exe 2744 cinvlzccqqhop.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2756 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 21 PID 1736 wrote to memory of 2756 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 21 PID 1736 wrote to memory of 2756 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 21 PID 1736 wrote to memory of 2756 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 21 PID 1736 wrote to memory of 2836 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 20 PID 1736 wrote to memory of 2836 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 20 PID 1736 wrote to memory of 2836 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 20 PID 1736 wrote to memory of 2836 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 20 PID 1736 wrote to memory of 2720 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 19 PID 1736 wrote to memory of 2720 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 19 PID 1736 wrote to memory of 2720 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 19 PID 1736 wrote to memory of 2720 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 19 PID 1736 wrote to memory of 2744 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 16 PID 1736 wrote to memory of 2744 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 16 PID 1736 wrote to memory of 2744 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 16 PID 1736 wrote to memory of 2744 1736 ac73d3ab2ca930996226857a8cfdbffa.exe 16
Processes
-
C:\Windows\SysWOW64\sgsajdkx.exeC:\Windows\system32\sgsajdkx.exe1⤵PID:2844
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"1⤵PID:2616
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:304
-
-
C:\Windows\SysWOW64\cinvlzccqqhop.execinvlzccqqhop.exe1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744
-
C:\Windows\SysWOW64\sgsajdkx.exesgsajdkx.exe1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2720
-
C:\Windows\SysWOW64\dzqasmrrlvztoti.exedzqasmrrlvztoti.exe1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2836
-
C:\Windows\SysWOW64\pyftfsxbsj.exepyftfsxbsj.exe1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756
-
C:\Users\Admin\AppData\Local\Temp\ac73d3ab2ca930996226857a8cfdbffa.exe"C:\Users\Admin\AppData\Local\Temp\ac73d3ab2ca930996226857a8cfdbffa.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1736