Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/01/2024, 06:52
Behavioral task
behavioral1
Sample
7403f55d628688afbfd7e05cd5c27745.exe
Resource
win7-20231215-en
General
-
Target
7403f55d628688afbfd7e05cd5c27745.exe
-
Size
108KB
-
MD5
7403f55d628688afbfd7e05cd5c27745
-
SHA1
db263c0be17efc4c7b53b9badb96df7cfeb4761c
-
SHA256
cc30d0840f3109070e558d8c9fc113fc582e8ef91344c74e360ebbe1a62df319
-
SHA512
212408a2293ee837da24bab9584adbe46c5d00a751143088a0d57c71b31e2c05fc26e0bbf7a8886d67dc2cfca1053689cd85e0c00b2df6c5e570d2e4423b6fa1
-
SSDEEP
3072:ed1qCcXqjW4yRq4XrCoa/5c268NsQA+inB1qpfYU8:edaOjy8Smo1260Q+iB18fY
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2496 7403f55d628688afbfd7e05cd5c27745.exe -
resource yara_rule behavioral1/memory/2496-0-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral1/files/0x0007000000014fa0-14.dat upx behavioral1/memory/2496-33-0x0000000000400000-0x0000000000448000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 15 IoCs
description ioc Process File created C:\Windows\inf\Https.dll 7403f55d628688afbfd7e05cd5c27745.exe File opened for modification C:\Windows\inf\Https.dll 7403f55d628688afbfd7e05cd5c27745.exe File created C:\Windows\inf\Https.pnf 7403f55d628688afbfd7e05cd5c27745.exe File created C:\Windows\IME\helps.txt 7403f55d628688afbfd7e05cd5c27745.exe File created C:\Windows\inf\Wdica.sys 7403f55d628688afbfd7e05cd5c27745.exe File opened for modification C:\Windows\inf\Https.hiv 7403f55d628688afbfd7e05cd5c27745.exe File opened for modification C:\Windows\inf\Https.sys 7403f55d628688afbfd7e05cd5c27745.exe File opened for modification C:\Windows\inf\ws2hlp.PNF 7403f55d628688afbfd7e05cd5c27745.exe File created C:\Windows\inf\Wdica.hiv 7403f55d628688afbfd7e05cd5c27745.exe File created C:\Windows\inf\Https.hiv 7403f55d628688afbfd7e05cd5c27745.exe File created C:\Windows\inf\ws2hlp.PNF 7403f55d628688afbfd7e05cd5c27745.exe File opened for modification C:\Windows\inf\Https.pnf 7403f55d628688afbfd7e05cd5c27745.exe File opened for modification C:\Windows\inf\Wdica.sys 7403f55d628688afbfd7e05cd5c27745.exe File opened for modification C:\Windows\inf\Wdica.hiv 7403f55d628688afbfd7e05cd5c27745.exe File created C:\Windows\inf\Https.sys 7403f55d628688afbfd7e05cd5c27745.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2496 7403f55d628688afbfd7e05cd5c27745.exe 2496 7403f55d628688afbfd7e05cd5c27745.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 2496 7403f55d628688afbfd7e05cd5c27745.exe 2496 7403f55d628688afbfd7e05cd5c27745.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2496 7403f55d628688afbfd7e05cd5c27745.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeSystemProfilePrivilege 2496 7403f55d628688afbfd7e05cd5c27745.exe Token: SeTakeOwnershipPrivilege 2496 7403f55d628688afbfd7e05cd5c27745.exe Token: SeSecurityPrivilege 2496 7403f55d628688afbfd7e05cd5c27745.exe Token: SeBackupPrivilege 2496 7403f55d628688afbfd7e05cd5c27745.exe Token: SeRestorePrivilege 2496 7403f55d628688afbfd7e05cd5c27745.exe Token: SeMachineAccountPrivilege 2496 7403f55d628688afbfd7e05cd5c27745.exe Token: SeChangeNotifyPrivilege 2496 7403f55d628688afbfd7e05cd5c27745.exe Token: SeLoadDriverPrivilege 2496 7403f55d628688afbfd7e05cd5c27745.exe Token: SeDebugPrivilege 2496 7403f55d628688afbfd7e05cd5c27745.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Wdica 7403f55d628688afbfd7e05cd5c27745.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Wdica\ImagePath = "inf\\Wdica.sys" 7403f55d628688afbfd7e05cd5c27745.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7403f55d628688afbfd7e05cd5c27745.exe"C:\Users\Admin\AppData\Local\Temp\7403f55d628688afbfd7e05cd5c27745.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129KB
MD5725b2bca81693a0f6c6fa53bbd70b43a
SHA194bc84e3aec060ad304a95c7ee9f711ac229c4f9
SHA25670536818eed11a42358234c12b841fadc35b368df32f51766b0abc780a510e4e
SHA51293d711f0aaa80a22e9ab38d03e1bac50b3f12260daefd5f76e4ce742590d7b18f0c71619137103001ffea95a0f97b7e9fe47f4969b80d56af4cbe05b765d66e5
-
Filesize
16KB
MD52de012f51bb1405de2a0252b9ee956d1
SHA182ce85a4353bad2a76c50f475de51bd4b5aeb226
SHA25654cba28e4813b9e3ee154d68bb77b9b5c14aa0a74549cdbfbbabeeb86ccf17fb
SHA512c7fe6206ea3f3632a19f6c788c77d1d2bc304170b9ebabdc9d398f01e145a8af7ab17973afa3be0c390c2a2e3c3d61babbecbdba504a2b51502d5ff372e79a48
-
Filesize
40KB
MD584799328d87b3091a3bdd251e1ad31f9
SHA164dbbe8210049f4d762de22525a7fe4313bf99d0
SHA256f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b
SHA5120a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4