Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11/01/2024, 00:19
Static task
static1
Behavioral task
behavioral1
Sample
52074adb63e057ca2e90c3466b06682e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
52074adb63e057ca2e90c3466b06682e.exe
Resource
win10v2004-20231215-en
General
-
Target
52074adb63e057ca2e90c3466b06682e.exe
-
Size
430KB
-
MD5
52074adb63e057ca2e90c3466b06682e
-
SHA1
44c334efad32eb9c28d4a99051ae0f63e00082b9
-
SHA256
c294dd58c069b8047e6a35836407a3ac4724629413205c3cc2061f59ed8fb770
-
SHA512
be7364030b8918541b1c5b1e7ef8b7e6e23b0da1e51c43fc4af1b0c5be8631f3e274f74d7fb2428722c6c0f8ae71a8a2a24b8cdbefb8f66c889f7ebb5b8998d9
-
SSDEEP
12288:ibee0PGl89WazvzkmMxM+ltxQMAn0Iv1b70ZSf2P:2edGBazvZMHltxtIv1bUS+P
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winder.lnk 52074adb63e057ca2e90c3466b06682e.exe -
Loads dropped DLL 1 IoCs
pid Process 3040 52074adb63e057ca2e90c3466b06682e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\52074adb63e057ca2e90c3466b06682e.exe = "C:\\System32\\52074adb63e057ca2e90c3466b06682e.exe" 52074adb63e057ca2e90c3466b06682e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3040 52074adb63e057ca2e90c3466b06682e.exe 3040 52074adb63e057ca2e90c3466b06682e.exe 3040 52074adb63e057ca2e90c3466b06682e.exe 3040 52074adb63e057ca2e90c3466b06682e.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3040 52074adb63e057ca2e90c3466b06682e.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3040 52074adb63e057ca2e90c3466b06682e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3040 52074adb63e057ca2e90c3466b06682e.exe 3040 52074adb63e057ca2e90c3466b06682e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3040 wrote to memory of 3004 3040 52074adb63e057ca2e90c3466b06682e.exe 29 PID 3040 wrote to memory of 3004 3040 52074adb63e057ca2e90c3466b06682e.exe 29 PID 3040 wrote to memory of 3004 3040 52074adb63e057ca2e90c3466b06682e.exe 29 PID 3040 wrote to memory of 3004 3040 52074adb63e057ca2e90c3466b06682e.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\52074adb63e057ca2e90c3466b06682e.exe"C:\Users\Admin\AppData\Local\Temp\52074adb63e057ca2e90c3466b06682e.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS1.vbs"2⤵PID:3004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
653B
MD50d237c3976b18f6e62e9cac8c1312d44
SHA12b47e57acff09cb913dc13790a6f10bacc308504
SHA256b375cbe2e4bbee67296fcc495ca8a2ae1c3a4f901d17c1bb1a60f3f3a33c75eb
SHA512c2ad17343a93023588e01dbd0bde7b3e2675f8b34f9fcb46731fb805b7903606f4375e1c1a17b119b2b1fefb03434e7dac1cb9af7ade9e2323107d261b35ce81
-
Filesize
430KB
MD539318f4b5dc4b3e87a6e25f6a616479a
SHA1cb19be4be6cd6362133fa14f1e73c35e474321f1
SHA2564793b944f1e13d1da4fda781402753a0c551d23fd3fc8ea05bf34ee75e86a263
SHA512eae0a74f05a045fb92afadc3975436cdb102b3604f19430e312427b8e138080ff6a91f369255ef1c934465ef698585e9d4a8aeff8f2a9e8911d75575d729d2ae