Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/01/2024, 18:28
Static task
static1
Behavioral task
behavioral1
Sample
b814afaa89cdf33bc32543afcc9c5bfe.exe
Resource
win7-20231215-en
General
-
Target
b814afaa89cdf33bc32543afcc9c5bfe.exe
-
Size
4.1MB
-
MD5
b814afaa89cdf33bc32543afcc9c5bfe
-
SHA1
3023551ecb0e29fa6433360f2a0c51d68d472b6b
-
SHA256
4641ab967c008d73785d344dd5cc99279da5d7271d9fe73a805ea2c218027b1a
-
SHA512
df2b83af2dfc29b3ac1ab8187f501cac7a6f17989a39cf2963eb3a1cfe3e5e94ac2bcd73c32376c1d2ce26ffff0fa129f19117a56251d8f605619c3481094b37
-
SSDEEP
98304:TV1wO0l/3cW0ckMAK1O4y3hKDtaW+rPldA/YAjz+/JLqQ:Tbl0l0K1ehGgtdLW0JLN
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral1/memory/2400-2-0x0000000004D70000-0x000000000565B000-memory.dmp family_glupteba behavioral1/memory/2400-3-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2400-4-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2804-8-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2804-18-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-21-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-109-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-113-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-114-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-115-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-144-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-153-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-155-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-157-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-159-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-161-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-162-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-165-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba behavioral1/memory/2948-167-0x0000000000400000-0x0000000002EE6000-memory.dmp family_glupteba -
Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs
pid Process 576 bcdedit.exe 1552 bcdedit.exe 1968 bcdedit.exe 2896 bcdedit.exe 908 bcdedit.exe 1444 bcdedit.exe 1264 bcdedit.exe 1004 bcdedit.exe 1500 bcdedit.exe 2984 bcdedit.exe 1480 bcdedit.exe 608 bcdedit.exe 968 bcdedit.exe 1800 bcdedit.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2548 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
resource yara_rule behavioral1/files/0x00050000000120c7-147.dat upx behavioral1/files/0x00050000000120c7-149.dat upx behavioral1/files/0x00050000000120c7-150.dat upx behavioral1/memory/1580-152-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2436-151-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2436-148-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1580-154-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1580-158-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2788 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2516 schtasks.exe 2696 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b814afaa89cdf33bc32543afcc9c5bfe.exe"C:\Users\Admin\AppData\Local\Temp\b814afaa89cdf33bc32543afcc9c5bfe.exe"1⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\b814afaa89cdf33bc32543afcc9c5bfe.exe"C:\Users\Admin\AppData\Local\Temp\b814afaa89cdf33bc32543afcc9c5bfe.exe"2⤵PID:2804
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:664
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2548
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵PID:2440
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows5⤵
- Modifies boot configuration data using bcdedit
PID:576
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}5⤵
- Modifies boot configuration data using bcdedit
PID:1968
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 05⤵
- Modifies boot configuration data using bcdedit
PID:2896
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast5⤵
- Modifies boot configuration data using bcdedit
PID:908
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}5⤵
- Modifies boot configuration data using bcdedit
PID:1444
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 15⤵
- Modifies boot configuration data using bcdedit
PID:1264
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn5⤵
- Modifies boot configuration data using bcdedit
PID:1004
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 05⤵
- Modifies boot configuration data using bcdedit
PID:1500
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe5⤵
- Modifies boot configuration data using bcdedit
PID:2984
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe5⤵
- Modifies boot configuration data using bcdedit
PID:1480
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:608
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:968
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
PID:1800
-
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2760
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:2036
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe4⤵PID:2756
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2696
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:2436
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240128182819.log C:\Windows\Logs\CBS\CbsPersist_20240128182819.cab1⤵PID:2660
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)1⤵PID:1596
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)2⤵
- Launches sc.exe
PID:2788
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:1580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize287KB
MD5750d384dda43add0af3ec3490b69368e
SHA1815db9efc106bea40f975c4bb8821f5e198b43c5
SHA2564feffb02fc036e47e3019b8b4532fa8479bcefde5bf33d8d9e3ed0a96b718ff5
SHA512439c35b96b17120fa95cb6723d99ed7dc4e425361bec0dbeae1032abd4792f9275277111ff41fd85b42a9e077a3d6f654592a5bf33ff85ed2ca3712963217fcd
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize395KB
MD55da3a881ef991e8010deed799f1a5aaf
SHA1fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA51224fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
94KB
MD5d98e78fd57db58a11f880b45bb659767
SHA1ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831
-
Filesize
43KB
MD56697e9360e6d43577eaeb4564fb33d13
SHA12c3617aa6fb63b645ad17760a5879813349f326a
SHA25652c9123bdddcb9cd6fca082ece35e03d636522c27f8dc8833ecb74df55da1d24
SHA5129dd488d4cfb1ba578fa90a02c0cdb16d3dd5acff50a52fec71ea533163919947a6cd1f63b91890b3955f9c4e0fcd145631a8ad3e1a60ae9e9d8ca390f23273b1
-
Filesize
192KB
MD58d5abc3b848b7983e9ce4666016b5771
SHA1e2be8d87d147cf9bfca9c364d04b1b7683ceffd0
SHA256e8b457f1e54ca70b5974f2a5ecd5dc2612bd006e1bfabd57168b444e3f8d0847
SHA5123845686c373d11b893355d95d483f5a7e7e28f38b9ff289e9b3c86a1ec9c52a187e8659384483dd210ab5fee267f37e03c935eb8917af9839495ce8c8d6b3a93
-
Filesize
133KB
MD51aff3918ec3aa32e692167054bbdc253
SHA1100f8965a5d0367ff046c56fd4779dda530216d3
SHA2565ea127f5282e97e119da9ffcd38bb2e11a068629c31d37ae31d72e4ec8b12502
SHA5126139132b5dd9f8678c2badd8b41f067ce716618b449beaf761b854248558b4373aacdad0330a1f116433770632fc2eedb48d8ac475f5a15cd759a6201e1f1652
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
Filesize
355KB
MD5cb4a5cbe8822437c5d3e98e396ba8267
SHA19cb905f36d57ef1aaefaad6c6878b8f51f460b36
SHA25668d118a039503a3bbb4b3195e2cace79ad3743596eafeb2d12ae5b2e18b7f0a7
SHA512b32b845053c48a45c91a1f86090499cfbdd5136ca563d08cc84bf3d5db7a4d7eae961dd03aa83bbf4369127cad7e87671df76bb620e4aeaf6ed44e9390fc3410
-
Filesize
409KB
MD5fcbc145e550d729ed9e449ff66a1cb37
SHA1b10015bba4999ff0d6e5cf57539e43fae89c1f87
SHA256cd4b002d4667580ef920c6ab8373d21fc9361853297daeffca2566e6fe08f94e
SHA51255517c30d7383ccf83b29d059e659bd31f76dd0bf66dd974f2599573f4b1dc69cca794623433ea34b46780852925612a3f57005e13334b166fc721df8a85d177
-
Filesize
302KB
MD55c2cf3b6c5f7ea8a069f09d91ee9feab
SHA1bd946dd4d40f230b83bd4e9b04c09f5d048999de
SHA2567826ac6b4c0c66e0e5cc618136251ea4bb15d378395026b87450bd0ea156e258
SHA512758bd690fed6c2a4f8e4645134cb15860e172d8fc725f2208f8295e89f4982ab4a8721b93fb3424c2e89180e8838649a8a729484619ae7cf1d2ea426fc38142f
-
Filesize
772KB
MD5c67545d0e046ce49d470a1fdbef171c7
SHA161126993fe74e0b33bafbf38262009c7b77be363
SHA25683beb4ef23b3676065246af537417df704166a9c9a644137a0b91eeebb8fe2b1
SHA512be4f6ba3105091f6ce88ff26a5e887e707210f6e2eb2e773c5042754a64b7e6589d053645ee530a076b9996d569d719ea967f352fb90ee2b2dfc63c6ccf06a1c
-
Filesize
609KB
MD539cebed078ceab626d73946eac450446
SHA14daddee76bb9c9c74bedc60ad3e0b056b2db3690
SHA25684e6b8718c7c3c0eadf2f046150ce4cba06ffb2672f3e0abdc1d70cc968057de
SHA51237fa9825c16e8170677d9bd9cebf9b868e11384072bb4cac8aa7a77670cf02b0fe89ebd31136018a1efa7251c7c21f0271413bdd8f30b998f8524a6a68834efa
-
Filesize
868KB
MD52e4414fdeae9003c4572d47e7cda1b98
SHA12d66e6327da680dd6665253c0153764d79d8523f
SHA25674aa1cf6d9f7a39155261cee4ccd244ccc7867471d6e279567ec88da33792b51
SHA512fd699802e29746e0127fbafd56f118f353faa00dae54cb693596f4fcb691f05ebad015bc1baf46f67302015e433e9edf278d12894859b6f80981df17800b3849
-
Filesize
28KB
MD577bdf0bd51cd7fb7bfefdd9ec75eeb80
SHA143d3cbbcc10b43b05ed3e147b248c2e901049d70
SHA256f9257ef5dc485c0cf5125ef44834b87761df6739533bab18e23882fd9ada18fd
SHA51262e037f8bc340ca4a5a2504197b2fb3ef88025d7895b87e30962cb4c5280a7176f236d44a5ef989e76f8cf5504eebbeab964ddfbc4d61ce7290c6e2456b8614a
-
Filesize
164KB
MD5cf2b2c8f2507decdd1c8b2a88d342f68
SHA13e3c04fbf7e6b04152633f472e19877f96e65ad0
SHA256f024b779e927a8495cd5cdcfb4b117881663506e7b8c82bc9330cd9070adb294
SHA5122be017e697456195273f53e1f1660fc0bb579ccb28629fd3d1d85d6d36060bfb8358d334d9be0be7a57fd9759b20e361d72ef85ede9a4e00c382c8a798b51e32
-
Filesize
80KB
MD53504dc18a9312512ef0655db9a682e88
SHA1a7472abbfa43930d75e40fe76e9725536a2e76e6
SHA256c95b9e9f124155145ee12a0b8516c4acc7d0e1d859e86364cd25e92c26aae110
SHA512c5afc95bdb827efade87e4ffdbcd58fe8b653ab27269634ecde08cce3409fd7403c6ae145c6bcb3236b5336366242424c9b10a936412af26b40905f4cffccb8f
-
Filesize
33KB
MD5ee823487a94010486228db88651129a0
SHA1a677436e0cbf428c309f3b12410c38719cad3853
SHA256d57f23e80cf9209c0e1b3e749af97988c7d8ddebd8e9a4f15444f37e34afd336
SHA5129f7584b78aa0f7e93d16200f6bca50cef5f8b5f11c416f5622c87b802d65914ba7cd33a006a50af1267ab856e301a630d7c051bc24a8c1d2bc72b1b7cf585704
-
Filesize
193KB
MD531defd0444bdd6b166e7bba48753b1ad
SHA161ef8c486d81a5c4e49a4800d548de23ed54222a
SHA256799fb390c071498c8ce7e8822a59cbad8a7216a04c3ac7ea49b27fb205287c1d
SHA512f0c1b121fb32d748cc3d5f0de94f683433b7c055ebbce7f004c32bfbb0be89ce16f98c7ebaeae46a5e0d83da4d1f6bc082a0c6de7ca305f0a4c9f6c40aba302e
-
Filesize
115KB
MD592c46760915443e19a7f026f9a6deb5a
SHA15ebaf174e9a1f35d1ea0c5826bc18daea8bb82cb
SHA25605501a7ccef88e6b3715e18d10a5f8346b0163c482adec1b9ba0fe10f6c93aea
SHA51260e3266536f86f31c182e659d4a8bea548eefa741ba78fa8c09a6f0da715de9ff68281a2dd984bbcae413bd51621541bb8590d066d98f75945239317104bfcfc
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
348KB
MD597118caea60e4fe7cfdd1f1a7047b1b6
SHA1a222c39e4222ffd2ff639fb46b89ea1ffa84295d
SHA256ed1e9ea1f0cba9a9169c9e7cc5d6b1dcef1e0d3a3f138df2830391f90d570c5f
SHA512dd0f3eb087fd2d1d65d10753463e741397eeb229348c9b1cdfbff8e3ec615fa1ea21e5c1d8ecc5d082b52176c300ab74627b577835d04530c27cf29f08caef51
-
Filesize
393KB
MD5178bad9dfb7d37a576e1398ecf37eaaf
SHA17fb233cb1657ca4fe26218577c5293640e36b5dc
SHA2569d39e16dbe20a8da05d22302c228d039f0f443254740e9ae794c65c18a06cf64
SHA51225142267b1bbd340988426a805d0751cb18cee42d6d1be08fa10f77a45b8ede4a38f31f944aeabc50565e13d45477e6b7964b135ba8dcb9bf842824632f41d7e