Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/01/2024, 17:04
Behavioral task
behavioral1
Sample
750afb1d76ee322d7cbc90b21d5c6104.exe
Resource
win7-20231215-en
General
-
Target
750afb1d76ee322d7cbc90b21d5c6104.exe
-
Size
960KB
-
MD5
750afb1d76ee322d7cbc90b21d5c6104
-
SHA1
0f7ba39b303ea7818b656ff89ba7d3cb7e1d0f1a
-
SHA256
bd72911ea9cab04b4553ba99241d8aa5c6196e085e37615ca01dee6c98ca5c80
-
SHA512
c4c649d55ad4785a207996e7b2799ea2aac32121893e24ae4b3a5dd0b264707c4c60969ec314f5a939ae8ce3617fb08d1355439e32b261621d5bed2a9fa9a475
-
SSDEEP
12288:X6Wq4aaE6KwyF5L0Y2D1PqLb6Wq4aaE6KwyF5L0Y2D1PqLx6Wq4aaE6KwyF5L0Y8:1thEVaPqLBthEVaPqLHthEVaPqLTthS
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 3044 svhost.exe -
resource yara_rule behavioral1/memory/2032-0-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral1/files/0x000800000001224f-4.dat upx behavioral1/memory/3044-6-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral1/files/0x0030000000016d30-66.dat upx behavioral1/memory/2032-698-0x0000000000400000-0x0000000000523000-memory.dmp upx behavioral1/memory/3044-2584-0x0000000000400000-0x0000000000523000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\g: svhost.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3044-6-0x0000000000400000-0x0000000000523000-memory.dmp autoit_exe behavioral1/memory/2032-698-0x0000000000400000-0x0000000000523000-memory.dmp autoit_exe behavioral1/memory/3044-2584-0x0000000000400000-0x0000000000523000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 750afb1d76ee322d7cbc90b21d5c6104.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3044 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe 3044 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2032 wrote to memory of 3044 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 28 PID 2032 wrote to memory of 3044 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 28 PID 2032 wrote to memory of 3044 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 28 PID 2032 wrote to memory of 3044 2032 750afb1d76ee322d7cbc90b21d5c6104.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\750afb1d76ee322d7cbc90b21d5c6104.exe"C:\Users\Admin\AppData\Local\Temp\750afb1d76ee322d7cbc90b21d5c6104.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960KB
MD5619c5358f2f1849e6d816acbd1d356a5
SHA19f55daa7f1c0ef0cc87649116be99f50e68e0fc2
SHA256be4d99806ec555dea3b08f84b5d66c5ef538448f59a66d40e4600fa4915c3cbe
SHA512e299491641276981d28e79bb9f12de6f9a67d528cb97740c9c55a426a6ec0f7d8582074cbaf2ac17f7d44840e02c9c2d2fdd88785249c855b7e7f56a0a081ec5
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
960KB
MD53aac959517c08b5cc0a053bebdac3939
SHA130c1217fc593b1359eceea268eec11d4cfa22aca
SHA2566b6a99d783b49235700cb05b4e80e62191dc2664626e4a8ea6b2d217267b3805
SHA51264374fbcb372d58191de3084a5358096f3ff4eb443010727215102ada6f9705562b621fe881c4b2c73a95d81b559312862794e498d7168081f236446322ffbd9