Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
11/01/2024, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
54b1da1c16d8dd8c121c95eaa705aa93.exe
Resource
win7-20231215-en
General
-
Target
54b1da1c16d8dd8c121c95eaa705aa93.exe
-
Size
212KB
-
MD5
54b1da1c16d8dd8c121c95eaa705aa93
-
SHA1
95ea8c091e1550778ced92f61e795e071e3f25fe
-
SHA256
37a2d60c1263d20fcbe71038314073e0c9b40cbc0eef31fd05eca9e53be93c75
-
SHA512
570f620a7dade80891189dfad95c514da5f93ca2e650ebba6f72a18201db52252fc03b9bc77370445f2f62b5e903d68f39ba655b2ad453f22cb8ef243b853a2b
-
SSDEEP
6144:K8x1Nj/T9iK4Lpu6HPirxW+26NU7NBsp7:X1X4Lo6wxW+26NU7NBsp7
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2688 NeverInjector.exe 2888 1.exe 2596 svchost64.exe 1216 services64.exe -
Loads dropped DLL 3 IoCs
pid Process 2132 54b1da1c16d8dd8c121c95eaa705aa93.exe 2780 cmd.exe 2596 svchost64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 freegeoip.app 3 freegeoip.app -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\services64.exe svchost64.exe File opened for modification C:\Windows\system32\services64.exe svchost64.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 1.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2944 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2880 powershell.exe 2888 1.exe 2888 1.exe 2596 svchost64.exe 2888 1.exe 1416 powershell.exe 760 powershell.exe 1124 powershell.exe 2452 powershell.exe 2324 powershell.exe 2888 1.exe 1200 powershell.exe 1388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 2888 1.exe Token: SeDebugPrivilege 2596 svchost64.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 1388 powershell.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2688 2132 54b1da1c16d8dd8c121c95eaa705aa93.exe 28 PID 2132 wrote to memory of 2688 2132 54b1da1c16d8dd8c121c95eaa705aa93.exe 28 PID 2132 wrote to memory of 2688 2132 54b1da1c16d8dd8c121c95eaa705aa93.exe 28 PID 2132 wrote to memory of 2888 2132 54b1da1c16d8dd8c121c95eaa705aa93.exe 29 PID 2132 wrote to memory of 2888 2132 54b1da1c16d8dd8c121c95eaa705aa93.exe 29 PID 2132 wrote to memory of 2888 2132 54b1da1c16d8dd8c121c95eaa705aa93.exe 29 PID 2688 wrote to memory of 3016 2688 NeverInjector.exe 30 PID 2688 wrote to memory of 3016 2688 NeverInjector.exe 30 PID 2688 wrote to memory of 3016 2688 NeverInjector.exe 30 PID 3016 wrote to memory of 2880 3016 cmd.exe 31 PID 3016 wrote to memory of 2880 3016 cmd.exe 31 PID 3016 wrote to memory of 2880 3016 cmd.exe 31 PID 2688 wrote to memory of 2780 2688 NeverInjector.exe 34 PID 2688 wrote to memory of 2780 2688 NeverInjector.exe 34 PID 2688 wrote to memory of 2780 2688 NeverInjector.exe 34 PID 2780 wrote to memory of 2596 2780 cmd.exe 35 PID 2780 wrote to memory of 2596 2780 cmd.exe 35 PID 2780 wrote to memory of 2596 2780 cmd.exe 35 PID 2596 wrote to memory of 2456 2596 svchost64.exe 36 PID 2596 wrote to memory of 2456 2596 svchost64.exe 36 PID 2596 wrote to memory of 2456 2596 svchost64.exe 36 PID 2456 wrote to memory of 2944 2456 cmd.exe 38 PID 2456 wrote to memory of 2944 2456 cmd.exe 38 PID 2456 wrote to memory of 2944 2456 cmd.exe 38 PID 3016 wrote to memory of 1416 3016 cmd.exe 39 PID 3016 wrote to memory of 1416 3016 cmd.exe 39 PID 3016 wrote to memory of 1416 3016 cmd.exe 39 PID 3016 wrote to memory of 760 3016 cmd.exe 40 PID 3016 wrote to memory of 760 3016 cmd.exe 40 PID 3016 wrote to memory of 760 3016 cmd.exe 40 PID 3016 wrote to memory of 1124 3016 cmd.exe 41 PID 3016 wrote to memory of 1124 3016 cmd.exe 41 PID 3016 wrote to memory of 1124 3016 cmd.exe 41 PID 2596 wrote to memory of 1216 2596 svchost64.exe 42 PID 2596 wrote to memory of 1216 2596 svchost64.exe 42 PID 2596 wrote to memory of 1216 2596 svchost64.exe 42 PID 1216 wrote to memory of 2408 1216 services64.exe 43 PID 1216 wrote to memory of 2408 1216 services64.exe 43 PID 1216 wrote to memory of 2408 1216 services64.exe 43 PID 2596 wrote to memory of 2960 2596 svchost64.exe 46 PID 2596 wrote to memory of 2960 2596 svchost64.exe 46 PID 2596 wrote to memory of 2960 2596 svchost64.exe 46 PID 2408 wrote to memory of 2452 2408 cmd.exe 47 PID 2408 wrote to memory of 2452 2408 cmd.exe 47 PID 2408 wrote to memory of 2452 2408 cmd.exe 47 PID 2960 wrote to memory of 2836 2960 cmd.exe 48 PID 2960 wrote to memory of 2836 2960 cmd.exe 48 PID 2960 wrote to memory of 2836 2960 cmd.exe 48 PID 2408 wrote to memory of 2324 2408 cmd.exe 49 PID 2408 wrote to memory of 2324 2408 cmd.exe 49 PID 2408 wrote to memory of 2324 2408 cmd.exe 49 PID 2408 wrote to memory of 1200 2408 cmd.exe 51 PID 2408 wrote to memory of 1200 2408 cmd.exe 51 PID 2408 wrote to memory of 1200 2408 cmd.exe 51 PID 2408 wrote to memory of 1388 2408 cmd.exe 52 PID 2408 wrote to memory of 1388 2408 cmd.exe 52 PID 2408 wrote to memory of 1388 2408 cmd.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\54b1da1c16d8dd8c121c95eaa705aa93.exe"C:\Users\Admin\AppData\Local\Temp\54b1da1c16d8dd8c121c95eaa705aa93.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\svchost64.exeC:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\NeverInjector.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'6⤵
- Creates scheduled task(s)
PID:2944
-
-
-
C:\Windows\system32\services64.exe"C:\Windows\system32\services64.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵PID:2836
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
450B
MD52194d49a898360543bd9c1aa99a540de
SHA10014313df2abb6ae0ceb6941529bac75f89ee837
SHA256659082d3ea5969c5fa4205e8936ce8fe092b9234e0370be86ab541a56b8defa2
SHA5123dd49d0b8d399819a5466da11e811fd8537ce4a0b97f1e84990a2c9bf409ee8b9238cf082bd8e2ffe006459fb3f7a614a4db526d0ed7b8750160dc1275ac2fc1
-
Filesize
274KB
MD5c23dd6dcde8637fd537eb142665a4edf
SHA1ac1d3a691cdd37a8935734270e62186ae0c8f563
SHA2563cd8c058466febed909675da97645ff2c364562a2bab260402185896aea8be59
SHA512b16a7badf694741ddfe519d96418c36a12a315523c8045c60ff1af68886f377d3818c0346fb2ab9292182831869207b7219aad3dc27e37ee95372e59fa886bb7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\03GSILH71J2L2WPWFKLS.temp
Filesize7KB
MD59a4a61f1e05d3507b470b494f966fb19
SHA184c76e57fa80d3deb2d49cb84eb2bd4a4aa8e26c
SHA2562c9562da95936c311ca8abccc3627ea2c976626ecd454645f7318b7d35372f86
SHA5129b6b2a652eb07b163531760f0a01e724d1da7436278702b9beb81cbcb86556e5517ba0fc5c3f0c608a8bbcefe460625754fd9821ed5f60d15bc26de1cd6b1a82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize1KB
MD5f0d4039193f757be4e95ec5493570f3e
SHA14c8cbf97e20456830c33dea8db196c9dbbc625e0
SHA256dce7c17e9ed7ea719b539f85d3921bc34a6827a8de6b3ac6c9330ceb282fa784
SHA5124631d20aaf653884ac855478ccc5542d282741594333dba5ecd167fc9f58506b17dd36c906391a17fcf98d3c8fd1cdb968539dc74d408ae24fe117ac3021608d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD586584fa2b1ecd6e44d7b0f494a585ae7
SHA1a841727527ce82f2a5e144381560fb698b8520a0
SHA256793e3268e99bdc91df0e277d1d7a47ffc643a85ae199ba2824c57fed1890fc8a
SHA51288d97775c02f9fc9758f0b6e396839b82a18169e1f5bfd57082997b036c2344ea147a8c5b12677a08ca8b1b0a07cdca4040206df9fd09a302488ee8eaf4a4c15
-
Filesize
42KB
MD584cc0c40b8c1a3a5366d30e0c038bddc
SHA136a5f937988d9d2e8109885f1cc172abeca7c974
SHA2565076d9fd2781dcfcb98b71ffa8b9bebab8c11499caf1af17a28e2b661853848c
SHA512a23863de886c23df57dfd038dd7b9cc6a2c7ffcb48e555db8a71155de59f1dbb2fb412fdf1b5610e37e9011450d4adcf829947317901fd93ffa246f2aaac59a2
-
Filesize
36KB
MD51aa155e87018118aa94dcdad5e8bb3ee
SHA1f3d9f7935170538f4219731aa27664dfd5fb6cc0
SHA2567ac2a4b82c31b61fb520f69c33674247e75acbf2c93b7357edb7a62e443e475e
SHA5128df2f7accb24dee4b3acc73fad33fd2adfc3988766c995efb52f677b9b81baeea243aa5c8a1c8596cc68269795017c7903faa3c372a3d8e2da791b0c6d2e11be
-
Filesize
28KB
MD5f477a1095aaea760a7a3b7ef86630e47
SHA15e170b58a4f21256c49880b73e1675b13b462901
SHA256ec984f17a9701a32f6237f51ea837f785e5a8df7a63960a3b577a54adee2e628
SHA51234bfe8e145fd6de148d6d74fc87b41b344115aad9b681d5612b4ad962d670205fd330236d2d314d18cd9210fc8a6996d20b011e914a5f4470603bf62792ea5ee