Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
10/01/2024, 22:13
General
-
Target
51c169ee9613134ff19f469ea62497a4.exe
-
Size
144KB
-
MD5
51c169ee9613134ff19f469ea62497a4
-
SHA1
1a8f40bbc83ad8d1f66295a20a7195904c34338c
-
SHA256
3b5a733b83f48fb79d6ba81e8ca6d3f08fa3db062fb1bae6da7af166f9a9a3c5
-
SHA512
c91d4fc33dac3515a5212930e378e0dd33c4a177086bb600aef27736288bec149866b68e9096ca754e02c7444df7c3b872c497527daf2976c77181d7b1da2c5f
-
SSDEEP
3072:RT7wfo4gaGu3GpRGtXuZV91KQCrq/l4pyXM1nIpfcPv:hnnRGdc9kCks8IW
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\51c169ee9613134ff19f469ea62497a4.exe"C:\Users\Admin\AppData\Local\Temp\51c169ee9613134ff19f469ea62497a4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\51c169ee9613134ff19f469ea62497a4.exe"C:\Users\Admin\AppData\Local\Temp\51c169ee9613134ff19f469ea62497a4.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\51c169ee9613134ff19f469ea62497a4.exe"C:\Users\Admin\AppData\Local\Temp\51c169ee9613134ff19f469ea62497a4.exe"3⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\C-76947-8457-2745\winmsnliv.exe"C:\Users\Public\C-76947-8457-2745\winmsnliv.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\C-76947-8457-2745\winmsnliv.exe"C:\Users\Public\C-76947-8457-2745\winmsnliv.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\C-76947-8457-2745\winmsnliv.exe"C:\Users\Public\C-76947-8457-2745\winmsnliv.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD551c169ee9613134ff19f469ea62497a4
SHA11a8f40bbc83ad8d1f66295a20a7195904c34338c
SHA2563b5a733b83f48fb79d6ba81e8ca6d3f08fa3db062fb1bae6da7af166f9a9a3c5
SHA512c91d4fc33dac3515a5212930e378e0dd33c4a177086bb600aef27736288bec149866b68e9096ca754e02c7444df7c3b872c497527daf2976c77181d7b1da2c5f
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
88KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB