Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 14:52
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20231215-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
90ac8a759ee08383aae9e92c55550701
-
SHA1
acb356c4b297f8072e744955a35b52ffb1f403d2
-
SHA256
d1e1a276ad4820f0472c8acac3f9d17d3bcd64bbe35f5c38148533f1f5b14603
-
SHA512
19363a421ea763a0e5befab5134fdb90d8eee4a45ede263ca4abbd92c71a454c2cab4b9dca32d1480bedc335df79830795580d93f33afae2d364b51310e92fdd
-
SSDEEP
1536:h+IYW6qbkW8aVpO1ARkoojEwzGi1dDUDxgS:h+88aVpO2SCi1dqu
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2740 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c19e8f3730b35d0f4a54a9c8fb6c824Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c19e8f3730b35d0f4a54a9c8fb6c824Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2756 server.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\server.exe server.exe File created C:\Windows\server.exe Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2756 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe Token: 33 2756 server.exe Token: SeIncBasePriorityPrivilege 2756 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2756 2088 Server.exe 28 PID 2088 wrote to memory of 2756 2088 Server.exe 28 PID 2088 wrote to memory of 2756 2088 Server.exe 28 PID 2088 wrote to memory of 2756 2088 Server.exe 28 PID 2756 wrote to memory of 2740 2756 server.exe 29 PID 2756 wrote to memory of 2740 2756 server.exe 29 PID 2756 wrote to memory of 2740 2756 server.exe 29 PID 2756 wrote to memory of 2740 2756 server.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\server.exe"C:\Windows\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5410c3c7c3e0376e2f9b228980b58d042
SHA13aec3fa12cd88edca90fdc72a0d25cd071dc2052
SHA2565c272042cede2596555e6b6f2c36857b015ccab9f34affbc63d6b000ccd08391
SHA5122a1e382b045d59580271cb05b521d0c6e99772be7cd5ce38d3e5e1997a4cb9d3fe5d424a24c67383a5a2d0002d4a2194f71e1604fa9ff0199944f8cee9b26a57
-
Filesize
93KB
MD590ac8a759ee08383aae9e92c55550701
SHA1acb356c4b297f8072e744955a35b52ffb1f403d2
SHA256d1e1a276ad4820f0472c8acac3f9d17d3bcd64bbe35f5c38148533f1f5b14603
SHA51219363a421ea763a0e5befab5134fdb90d8eee4a45ede263ca4abbd92c71a454c2cab4b9dca32d1480bedc335df79830795580d93f33afae2d364b51310e92fdd