Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
687674cae6b18642ef93d2ff364af5a0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
687674cae6b18642ef93d2ff364af5a0.exe
Resource
win10v2004-20231215-en
General
-
Target
687674cae6b18642ef93d2ff364af5a0.exe
-
Size
80KB
-
MD5
687674cae6b18642ef93d2ff364af5a0
-
SHA1
f9f8f72d07e5c44c95e7cbc08b2a4628430fb34e
-
SHA256
0bdf24efbfaed5e2401a1136e679ad0f68f834984de9af73f8f6c3a8b416c0ba
-
SHA512
b242592eded508c46179216f932cf04836a9174172c471e43276025e4c81b55d38b2124d8b765831aebcd75b629f3bad706c80a86d520b1bf5d02656a51e7f15
-
SSDEEP
1536:u+eYvIEbn5tPSxXmeCC9bCoCMBlAwiVpwFJ0T72mocT:J/2BlGEFJ0T72mBT
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 687674cae6b18642ef93d2ff364af5a0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gdtiuk.exe -
Executes dropped EXE 1 IoCs
pid Process 2192 gdtiuk.exe -
Loads dropped DLL 2 IoCs
pid Process 2536 687674cae6b18642ef93d2ff364af5a0.exe 2536 687674cae6b18642ef93d2ff364af5a0.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /v" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /x" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /p" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /j" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /i" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /h" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /o" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /n" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /z" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /s" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /e" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /m" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /d" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /a" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /r" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /q" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /l" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /b" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /c" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /k" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /y" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /g" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /w" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /f" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /u" gdtiuk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /g" 687674cae6b18642ef93d2ff364af5a0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\gdtiuk = "C:\\Users\\Admin\\gdtiuk.exe /t" gdtiuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2536 687674cae6b18642ef93d2ff364af5a0.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe 2192 gdtiuk.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2536 687674cae6b18642ef93d2ff364af5a0.exe 2192 gdtiuk.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2192 2536 687674cae6b18642ef93d2ff364af5a0.exe 28 PID 2536 wrote to memory of 2192 2536 687674cae6b18642ef93d2ff364af5a0.exe 28 PID 2536 wrote to memory of 2192 2536 687674cae6b18642ef93d2ff364af5a0.exe 28 PID 2536 wrote to memory of 2192 2536 687674cae6b18642ef93d2ff364af5a0.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\687674cae6b18642ef93d2ff364af5a0.exe"C:\Users\Admin\AppData\Local\Temp\687674cae6b18642ef93d2ff364af5a0.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\gdtiuk.exe"C:\Users\Admin\gdtiuk.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD52053154bc13a6ff601db9d173fce0955
SHA16a9783cb6666ad44571236673196239e8530d3cf
SHA25659f805fd3718644d7f98f5efc3e963126d7a5cc18667f9b51a01bbfbc1ddd273
SHA512367c4171c57dfb52a39c1ad61640024c081f5873824559e2340db0f148e649d9a8d41696520a84eaf22213ceb67fb346e90ca324a446b23997dc394122023d0f