Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 11:41
Static task
static1
Behavioral task
behavioral1
Sample
7743e85e4aab9c595053d4a605887cfe.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7743e85e4aab9c595053d4a605887cfe.exe
Resource
win10v2004-20231215-en
General
-
Target
7743e85e4aab9c595053d4a605887cfe.exe
-
Size
45KB
-
MD5
7743e85e4aab9c595053d4a605887cfe
-
SHA1
91c318d180aef4abae035cf5d11705d307caf4d2
-
SHA256
92fceb949c5b1c34aa19377b103439c44a8f61ea4db43173883262ddcd71a5b8
-
SHA512
4a1112def84d26c4f42b40d46256f2b9bba2e60ace6f7da2e73f38234b539ed9901c8856bc70556a1fa741c44aede6088cb771a9a7eb3c0f2f2949da5c0cb82e
-
SSDEEP
768:y3J3kyPnf7zO23G43LLc/2vYPif9Ia3gn+hpJqOcsMVKFGARS+igNz:y3J3ka3/XEfif9PJT1F7FG2S+igNz
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2652 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 3008 7743e85e4aab9c595053d4a605887cfe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winbau32.rom,yPxRun" 7743e85e4aab9c595053d4a605887cfe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winbau32.rom 7743e85e4aab9c595053d4a605887cfe.exe File created C:\Windows\SysWOW64\winbau32.rom 7743e85e4aab9c595053d4a605887cfe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412431171" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E0D23491-BC3F-11EE-993B-FA7D6BB1EAA3} = "0" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2868 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2868 iexplore.exe 2868 iexplore.exe 2944 IEXPLORE.EXE 2944 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2936 3008 7743e85e4aab9c595053d4a605887cfe.exe 28 PID 3008 wrote to memory of 2936 3008 7743e85e4aab9c595053d4a605887cfe.exe 28 PID 3008 wrote to memory of 2936 3008 7743e85e4aab9c595053d4a605887cfe.exe 28 PID 3008 wrote to memory of 2936 3008 7743e85e4aab9c595053d4a605887cfe.exe 28 PID 2936 wrote to memory of 2868 2936 cmd.exe 30 PID 2936 wrote to memory of 2868 2936 cmd.exe 30 PID 2936 wrote to memory of 2868 2936 cmd.exe 30 PID 2936 wrote to memory of 2868 2936 cmd.exe 30 PID 2868 wrote to memory of 2944 2868 iexplore.exe 31 PID 2868 wrote to memory of 2944 2868 iexplore.exe 31 PID 2868 wrote to memory of 2944 2868 iexplore.exe 31 PID 2868 wrote to memory of 2944 2868 iexplore.exe 31 PID 3008 wrote to memory of 2868 3008 7743e85e4aab9c595053d4a605887cfe.exe 30 PID 3008 wrote to memory of 2868 3008 7743e85e4aab9c595053d4a605887cfe.exe 30 PID 3008 wrote to memory of 2868 3008 7743e85e4aab9c595053d4a605887cfe.exe 30 PID 3008 wrote to memory of 2868 3008 7743e85e4aab9c595053d4a605887cfe.exe 30 PID 3008 wrote to memory of 2600 3008 7743e85e4aab9c595053d4a605887cfe.exe 32 PID 3008 wrote to memory of 2600 3008 7743e85e4aab9c595053d4a605887cfe.exe 32 PID 3008 wrote to memory of 2600 3008 7743e85e4aab9c595053d4a605887cfe.exe 32 PID 3008 wrote to memory of 2600 3008 7743e85e4aab9c595053d4a605887cfe.exe 32 PID 3008 wrote to memory of 2652 3008 7743e85e4aab9c595053d4a605887cfe.exe 33 PID 3008 wrote to memory of 2652 3008 7743e85e4aab9c595053d4a605887cfe.exe 33 PID 3008 wrote to memory of 2652 3008 7743e85e4aab9c595053d4a605887cfe.exe 33 PID 3008 wrote to memory of 2652 3008 7743e85e4aab9c595053d4a605887cfe.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\7743e85e4aab9c595053d4a605887cfe.exe"C:\Users\Admin\AppData\Local\Temp\7743e85e4aab9c595053d4a605887cfe.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.execmd /c start iexplore -embedding2⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -embedding3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2944
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\twe1E69.bat"2⤵PID:2600
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7743e85e4aab9c595053d4a605887cfe.bat"2⤵
- Deletes itself
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5afa95809f1fcf2b284503ec8d5833e95
SHA15aedb56c75b1f8a54a657f64d2ffafd5609b82d5
SHA2561b4829ee71a71c6dfd5b0bfee955dec84c4a7f44ec5137ff76cb42f0a3b23165
SHA5127c2a566274fbf98e4c21969a2d63829e6f2b96d765516bb6dc3e863c0e3f79375774c6933fb104a61b3185d5329fc48600a15901aafd9e91a6a705df2026ea8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58e04a826e439ee90581e28e3845cdfdd
SHA1b3068bacec34fbe743a2d7cb33984d71f964c607
SHA256fea17359efcb08d27d0646df636b28c9829ba3dc28f9e0546a7acf76c22a51ea
SHA5126cdce307e376eaa636c49ce99929dff0b18534280dc82a386310199f4304660081e66c7f2380a8d4b531a5e0318f475f8a5277bd1c83276bc6d5b59d93cc49c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51de89f4c9e9cd76e8582e4c8c3b2d598
SHA19b029a91aae04add7f45a3398e7ce19ba16a1e66
SHA2564171c4d678fb212a84fb977e40628b7d6a3186aa2a3297f7e1e1bd971b0df356
SHA51214e94c5cd38fe013bd0a833630e3a76f7f22962baa8b6ac8eb8b6ea311616b875b8e6d26e67188d595b75cd7cf7f13bd3ef078d42fba1b968b4b2802bc9d5449
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56ec90318ec56b91210be4c7bac48474b
SHA1670967462e14d69aadf50f8ee667dde1be33973a
SHA256860843fa2147204d27e6d35c690241fdcc288024764a8af6118501f782462238
SHA512ded208e032d083dcef55f2b2691eb26ea97d93cca0e80ee67dfaee16dd7aedc82a53709bce27bb3ae03714fe5b9d0533f080863ff85377d5df16f8fa0c0199da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59d84d37f1088f8514224093a66bf68d2
SHA15de6ced003463d96e3e3476fc4850aea8c8720ef
SHA25694486468035db5a70ec16783d240c56081c22c7c9947548c5ff090c49e97f477
SHA5120e849c06e638e8f7e629a812344647c69969ffc91a54576349f8f01be061beb05630eaad8817c2ad46451573285849696ecbd268fccba2640f9cf265ff4c1a98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5aa9d13388136dcbc58747ab8cfc21fed
SHA1a21549a65a8a0cee3315898d4a863db375b6ca73
SHA256dae0e30043f6fa4271bb70b9dcae510202365f3990414badf67943da37e6e85f
SHA5120927fb044a086aa7bd9bf73cb113ec9c38be51f22d88e8bea5b4b3f0f7277252f374195b71060b84e762e630a4ea704354761a28673fb78bf930ffcb82ed9829
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53577c1ff29d848ed3028669456acb221
SHA1fba20b22eabc6edc06e8b4eb39d6b7ecdb2eafec
SHA25688c6f8e16ed9a38d8d460301e062d5202e22129864bd47e14e6b475da41df8d5
SHA5122d962f5957e8fe85c5957a613c54a984ed64930b29c98ee297df83957750ea2180cf22e4662bd0a50f574fb65a460b28cb33c30fa26f5b88671c6f6018d4a903
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ff162fc58ee6c7b904298689f365f25b
SHA16ad439f30671806ba674a203d86263de6e22e0dd
SHA25646f105610633de59db8868b533c2d4d7aa385b657b640db932cb3e0e6524ce35
SHA51209525a0528231316dcbdff1b4f06deb45a06eb4ce93414b8f3b735bb3637c5d666120530f8c81805d11b14852b17fb4e1078bb3855b6fe40d4932a28e8bbfe74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5338e5e33288d5b085d042909d6196cc8
SHA1f2da76f14c575485a065738b0450b6420174b0db
SHA256f53cb4c549c4051226ec1106d5c679a0bb76b6e82eb0534dfb9c5c5ca2dc28d8
SHA512911bf6fdb57e77df4391fc6d1da6f62f29cbc891e3f7c412fc2d23ca4a6afabdff9208a23b638b214bfa7229a6a8a6c0159f175ae85645c5fef0ee15aa8a5eff
-
Filesize
263B
MD52468b86b10f8b8e753fc7e0437c06b22
SHA10252da17bac8d7c61b91d9da6f8f32efa6e986aa
SHA256d5e6ac8863d1647ef2a6848bad1d6794991803b818c3b54a8aa00dab2e333788
SHA51220dea88fc5968395c7993fd32f04234b9c06cb90976e4fcdfaaf4770da5ba7f7892aaf7f21e1dcbf2df765cb7cbaa835f0baacd07b0d1d6a0960b1e1baa4c74a
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
188B
MD51867f0151be5c0deea47d4eb582701f1
SHA12b9e0366e9551d9522f226d604afafdb5113643f
SHA2566844932b5c8012fc5de2b4ad74c2e96dde97f63ea5d71b353704b15d988b9838
SHA5122ba26647f9e79ff5e292a9b520fbf97f04fcf23e5350cba1dfbe16c2fdba9f157ba9cc0e68babe4cd5674aea095b09b2f2d62a040f400f5af6e6d1111548f2cd
-
Filesize
32KB
MD57ac9acb5469776c2f03d943037d47298
SHA18f8838c3da0df25c95c6fb50205c427d2afc7543
SHA25616a9514b509206e55689a8bd6a1edae52987efc8459a021d5cec3b5c54946b15
SHA51251b168d05103e9439e920e6b1c9b5b817e3e7255b7d18b89d88140311fa9313240037f1449c908c512b5c0b105581895b31a6182f60ced2d6ad396fb67502d3e