Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 20:34
Static task
static1
Behavioral task
behavioral1
Sample
49b2e2c622aed1aaccb8f17d500b7321.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
49b2e2c622aed1aaccb8f17d500b7321.exe
Resource
win10v2004-20231215-en
General
-
Target
49b2e2c622aed1aaccb8f17d500b7321.exe
-
Size
2.6MB
-
MD5
49b2e2c622aed1aaccb8f17d500b7321
-
SHA1
a73b715a6ce39a6983c29765de0eef9156899ed3
-
SHA256
08ef1a2643f2d97ea39aa628a6a56a1109db245ae5c795278b4529d9e2f4a4c7
-
SHA512
0da166b392bcfe55c700a123414b03d706f5eb3c585e905f7db32b0db004f189c517f11ed343428ac92a9559538f05a2fb802fe5c0e210a8d233719c154c0328
-
SSDEEP
49152:9cUUQTLnKiVql9Bs8dKj+LFh2Hs7VcsxL2QlAQjLGi/9JNIzg6:mwHs9s8lLFxfCQ2QjLH9uJ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\xKsLHgjFBHJwJAJa\\664DlHQcJscC.exe\",explorer.exe" 49b2e2c622aed1aaccb8f17d500b7321.exe -
Executes dropped EXE 1 IoCs
pid Process 2388 8bE1XT1hzqW5g1D3.exe -
Loads dropped DLL 1 IoCs
pid Process 1352 49b2e2c622aed1aaccb8f17d500b7321.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 1352 49b2e2c622aed1aaccb8f17d500b7321.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1352 49b2e2c622aed1aaccb8f17d500b7321.exe Token: 33 1352 49b2e2c622aed1aaccb8f17d500b7321.exe Token: SeIncBasePriorityPrivilege 1352 49b2e2c622aed1aaccb8f17d500b7321.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1352 wrote to memory of 2388 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 34 PID 1352 wrote to memory of 2388 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 34 PID 1352 wrote to memory of 2388 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 34 PID 1352 wrote to memory of 2388 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 34 PID 1352 wrote to memory of 2732 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 33 PID 1352 wrote to memory of 2732 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 33 PID 1352 wrote to memory of 2732 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 33 PID 1352 wrote to memory of 2732 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 33 PID 1352 wrote to memory of 2788 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 32 PID 1352 wrote to memory of 2788 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 32 PID 1352 wrote to memory of 2788 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 32 PID 1352 wrote to memory of 2788 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 32 PID 1352 wrote to memory of 2804 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 31 PID 1352 wrote to memory of 2804 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 31 PID 1352 wrote to memory of 2804 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 31 PID 1352 wrote to memory of 2804 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 31 PID 1352 wrote to memory of 2808 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 30 PID 1352 wrote to memory of 2808 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 30 PID 1352 wrote to memory of 2808 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 30 PID 1352 wrote to memory of 2808 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 30 PID 1352 wrote to memory of 2828 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 29 PID 1352 wrote to memory of 2828 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 29 PID 1352 wrote to memory of 2828 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 29 PID 1352 wrote to memory of 2828 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 29 PID 1352 wrote to memory of 2792 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 28 PID 1352 wrote to memory of 2792 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 28 PID 1352 wrote to memory of 2792 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 28 PID 1352 wrote to memory of 2792 1352 49b2e2c622aed1aaccb8f17d500b7321.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"2⤵PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"2⤵PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"2⤵PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"2⤵PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"2⤵PID:2788
-
-
C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"2⤵PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\8bE1XT1hzqW5g1D3.exe"C:\Users\Admin\AppData\Local\Temp\8bE1XT1hzqW5g1D3.exe"2⤵
- Executes dropped EXE
PID:2388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD51366bd01f669bdf3c5ba1c8aa74442db
SHA124189c709cedd43dcf9674f48c2681d0648e5ded
SHA25635c6f0a096e8e543a288575c0a7220e1cb7ae1b29ec9ff2cd38daef1517aff9c
SHA512a8b098733809eaad46178f78c9d52ed761cac8613914a80c824d628821f82bbb5c052ddc2a7ae0ec86f4c501dde831ce17478ce1097f4522aa6165e98af8dec4
-
Filesize
96KB
MD5c2e88ab5859165538d4f1bef3b895aa3
SHA1a42b200746095f71f7be468696b328662e7ef57f
SHA25658e2575f5533e2953fca498f72247a8b394d7b0faab7bd5ebf1e63e7b475585b
SHA51257ee64f3e091e3d27c10939c62fa0bde161c3199ac014ae42383a4b7dfba683f527fec19c39475108545ef780bd5ac19f9c5483855324f754c34cb3337a9d7aa