Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 02:04
Behavioral task
behavioral1
Sample
4d0e910d49f643ea824bc9287b555a33.exe
Resource
win7-20231215-en
General
-
Target
4d0e910d49f643ea824bc9287b555a33.exe
-
Size
960KB
-
MD5
4d0e910d49f643ea824bc9287b555a33
-
SHA1
2c86e23ca404966246c5162a013424c9f91c7029
-
SHA256
5feebe124f24422f47f619f11b1457f5f77b633c46f501011761606e16edc20d
-
SHA512
9880e55f7d6cbea256022d6aee207e57ffb3663178ebcb7855f498d0605b045ef50c928452fcdaedbb827435f5c4dd51313099d1ccde1fbdc605b20cee9c1b5c
-
SSDEEP
12288:X6Wq4aaE6KwyF5L0Y2D1PqLb6Wq4aaE6KwyF5L0Y2D1PqLx6Wq4aaE6KwyF5L0YD:1thEVaPqLBthEVaPqLHthEVaPqLTthF
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 1760 svhost.exe -
resource yara_rule behavioral1/memory/1716-0-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral1/memory/1716-5-0x0000000003B40000-0x0000000003C63000-memory.dmp upx behavioral1/files/0x000a000000012251-4.dat upx behavioral1/memory/1760-7-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral1/files/0x000a000000012251-6.dat upx behavioral1/files/0x0007000000016cfb-67.dat upx behavioral1/memory/1716-810-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral1/memory/1760-2666-0x0000000000400000-0x0000000000523000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\x: svhost.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1760-7-0x0000000000400000-0x0000000000523000-memory.dmp autoit_exe behavioral1/memory/1716-810-0x0000000000400000-0x0000000000523000-memory.dmp autoit_exe behavioral1/memory/1760-2666-0x0000000000400000-0x0000000000523000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 4d0e910d49f643ea824bc9287b555a33.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1760 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1716 4d0e910d49f643ea824bc9287b555a33.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1716 4d0e910d49f643ea824bc9287b555a33.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1716 4d0e910d49f643ea824bc9287b555a33.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe 1760 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1716 wrote to memory of 1760 1716 4d0e910d49f643ea824bc9287b555a33.exe 28 PID 1716 wrote to memory of 1760 1716 4d0e910d49f643ea824bc9287b555a33.exe 28 PID 1716 wrote to memory of 1760 1716 4d0e910d49f643ea824bc9287b555a33.exe 28 PID 1716 wrote to memory of 1760 1716 4d0e910d49f643ea824bc9287b555a33.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d0e910d49f643ea824bc9287b555a33.exe"C:\Users\Admin\AppData\Local\Temp\4d0e910d49f643ea824bc9287b555a33.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
628KB
MD5aac15c24ebecdaa8de319c81ecd7dc8a
SHA1ce3d120ed50e7bf03b1dc42159207914731ca1e0
SHA2562933721fd7b13b13409d2669e02fbc6a6ead59cdf6e2456a259048da014c13bc
SHA5121a5f55613868fefe86007c00581abf60ccb34f3482ddfb9b253149b9e67bc3f7f66929e85733cf6a0496ee55de3aac7bce1e81be7088785ced83971badc06d4a
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
842KB
MD5278eaba48ae9cd22af62cd08f67e1e5f
SHA1a87f42386570d4734fb7e69d3462eeff676575e3
SHA2562000042e7edbdd5165b0e8e1c42d66d0f1d01494b437423f11dbe85bbef7869a
SHA512d4fb1a02feb3690b268aea3e6f10f90633d4b9cf99160ccb5fc00310a605676daeb29feb489ad2f7c6adf3bf63ecbaa69ed02b357cb792a0e6560adfa24da091
-
Filesize
834KB
MD5d2fbac5c7866f11e08ec86ae19dd1b78
SHA1c2a699fa954bcaba11f5c9c163db28362f211daa
SHA2565b44688fba71397340238fa4b95f1067e8c03b8bbe1bf4571602060fde791af7
SHA5121f91eb05d5eac73c307235cffa810c8289be774c738e15eb5c38d6a0a0366ae75d8601cf8924ea60b66d3d69f10859e16091e1137369b996f5f1c4e474359f70