Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
11/01/2024, 12:57
Behavioral task
behavioral1
Sample
53947e11087d5ea12f61b14ff4ecf26d.exe
Resource
win7-20231215-en
windows7-x64
12 signatures
150 seconds
General
-
Target
53947e11087d5ea12f61b14ff4ecf26d.exe
-
Size
8.7MB
-
MD5
53947e11087d5ea12f61b14ff4ecf26d
-
SHA1
f31d04d2ea5fc27472e5cc1a4337c07fe503787e
-
SHA256
cc707470bc011b580d82648799497028f2422a8d18e608619b6fc587e38b38b7
-
SHA512
2d2411169463e217d1b10c4092b98b77e8981d925abfa9fb329c4030ad19136797043264d8b6c0ce5538c88239e601502b684652b7c53471a7a3be970922b3c3
-
SSDEEP
98304:dE35EnE35ETE35E+E35EeE35EqE35EsE35EWE35EKE35EfE35EFE35E1E35EZE3y:v
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2820 svhost.exe -
resource yara_rule behavioral1/memory/2072-0-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral1/files/0x000b0000000126e7-4.dat upx behavioral1/memory/2072-767-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral1/memory/2820-2580-0x0000000000400000-0x0000000000523000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\m: svhost.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2072-767-0x0000000000400000-0x0000000000523000-memory.dmp autoit_exe behavioral1/memory/2820-2580-0x0000000000400000-0x0000000000523000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 53947e11087d5ea12f61b14ff4ecf26d.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2820 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe 2820 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2820 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 28 PID 2072 wrote to memory of 2820 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 28 PID 2072 wrote to memory of 2820 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 28 PID 2072 wrote to memory of 2820 2072 53947e11087d5ea12f61b14ff4ecf26d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\53947e11087d5ea12f61b14ff4ecf26d.exe"C:\Users\Admin\AppData\Local\Temp\53947e11087d5ea12f61b14ff4ecf26d.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
2.0MB
MD5722cc04bd2788c402210bd14e5854f13
SHA12f1056fbc22dfbd2b1165d97557950dd7baba7b6
SHA2561af3568109f002dc48fc0a981b50282bb873bb79df15d7c9a222d1dbd28130f8
SHA5129f540734aa1f5847f3988aaa66f96e26de3bba5809e949222bd6d24d58f9c0ea4dcf3f308622b8203b18b6415ee057b24564717e82fa6e765ee759970e31b55b