Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/01/2024, 04:04
Static task
static1
Behavioral task
behavioral1
Sample
7ed6669275b4f7ef72fcb5ca59eafff4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7ed6669275b4f7ef72fcb5ca59eafff4.exe
Resource
win10v2004-20231215-en
General
-
Target
7ed6669275b4f7ef72fcb5ca59eafff4.exe
-
Size
576KB
-
MD5
7ed6669275b4f7ef72fcb5ca59eafff4
-
SHA1
bc281b10918e351939cabf0b9ad94714391efa1e
-
SHA256
3d67d225b2cb66e45dab3b88eefc316d6b5da7648f3a4e13939058d64943daf0
-
SHA512
3c62d5e90e004db2e46208f78fdd770ff18795fe7332af1ce0d684263b3ad7fd90108bf301e6d278cfc7adc470a7fa1b225dd56ab0fd752216f68eb909330aba
-
SSDEEP
12288:CVEeMMiPTI538Faif9HLR5O6IyfruKv91zNCe88wYUxB+x2Y:COkaC3ViFrnO6Iyf7vQYj2Y
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2656 B6232F3A5CC.exe 2644 B6232F3A5CC.exe 1848 B6232F3A5CC.exe 2980 F7J4624.exe -
Loads dropped DLL 4 IoCs
pid Process 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe 1848 B6232F3A5CC.exe 1848 B6232F3A5CC.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2808-20-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-25-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-22-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-27-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-28-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-30-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-31-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-33-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-35-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-36-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-34-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-32-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/2808-74-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/1848-90-0x0000000000400000-0x00000000004A7000-memory.dmp upx behavioral1/memory/1848-101-0x0000000000400000-0x00000000004A7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\4Y3Y0C3AVF7XWHXDXRCGD = "C:\\Recycle.Bin\\B6232F3A5CC.exe /q" F7J4624.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 7ed6669275b4f7ef72fcb5ca59eafff4.exe File opened for modification \??\PhysicalDrive0 B6232F3A5CC.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2304 set thread context of 2320 2304 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2320 set thread context of 2808 2320 7ed6669275b4f7ef72fcb5ca59eafff4.exe 29 PID 2656 set thread context of 2644 2656 B6232F3A5CC.exe 31 PID 2644 set thread context of 1848 2644 B6232F3A5CC.exe 32 -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PhishingFilter F7J4624.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" F7J4624.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" F7J4624.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery F7J4624.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" F7J4624.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe 1848 B6232F3A5CC.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe 2980 F7J4624.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe Token: SeDebugPrivilege 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe Token: SeDebugPrivilege 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe Token: SeDebugPrivilege 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe Token: SeDebugPrivilege 1848 B6232F3A5CC.exe Token: SeDebugPrivilege 1848 B6232F3A5CC.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe Token: SeDebugPrivilege 2980 F7J4624.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2304 7ed6669275b4f7ef72fcb5ca59eafff4.exe 2320 7ed6669275b4f7ef72fcb5ca59eafff4.exe 2656 B6232F3A5CC.exe 2644 B6232F3A5CC.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2320 2304 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2304 wrote to memory of 2320 2304 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2304 wrote to memory of 2320 2304 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2304 wrote to memory of 2320 2304 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2304 wrote to memory of 2320 2304 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2304 wrote to memory of 2320 2304 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2304 wrote to memory of 2320 2304 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2304 wrote to memory of 2320 2304 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2304 wrote to memory of 2320 2304 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2320 wrote to memory of 2808 2320 7ed6669275b4f7ef72fcb5ca59eafff4.exe 29 PID 2320 wrote to memory of 2808 2320 7ed6669275b4f7ef72fcb5ca59eafff4.exe 29 PID 2320 wrote to memory of 2808 2320 7ed6669275b4f7ef72fcb5ca59eafff4.exe 29 PID 2320 wrote to memory of 2808 2320 7ed6669275b4f7ef72fcb5ca59eafff4.exe 29 PID 2320 wrote to memory of 2808 2320 7ed6669275b4f7ef72fcb5ca59eafff4.exe 29 PID 2320 wrote to memory of 2808 2320 7ed6669275b4f7ef72fcb5ca59eafff4.exe 29 PID 2320 wrote to memory of 2808 2320 7ed6669275b4f7ef72fcb5ca59eafff4.exe 29 PID 2320 wrote to memory of 2808 2320 7ed6669275b4f7ef72fcb5ca59eafff4.exe 29 PID 2808 wrote to memory of 2320 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2808 wrote to memory of 2320 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2808 wrote to memory of 2320 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe 28 PID 2808 wrote to memory of 2656 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe 30 PID 2808 wrote to memory of 2656 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe 30 PID 2808 wrote to memory of 2656 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe 30 PID 2808 wrote to memory of 2656 2808 7ed6669275b4f7ef72fcb5ca59eafff4.exe 30 PID 2656 wrote to memory of 2644 2656 B6232F3A5CC.exe 31 PID 2656 wrote to memory of 2644 2656 B6232F3A5CC.exe 31 PID 2656 wrote to memory of 2644 2656 B6232F3A5CC.exe 31 PID 2656 wrote to memory of 2644 2656 B6232F3A5CC.exe 31 PID 2656 wrote to memory of 2644 2656 B6232F3A5CC.exe 31 PID 2656 wrote to memory of 2644 2656 B6232F3A5CC.exe 31 PID 2656 wrote to memory of 2644 2656 B6232F3A5CC.exe 31 PID 2656 wrote to memory of 2644 2656 B6232F3A5CC.exe 31 PID 2656 wrote to memory of 2644 2656 B6232F3A5CC.exe 31 PID 2644 wrote to memory of 1848 2644 B6232F3A5CC.exe 32 PID 2644 wrote to memory of 1848 2644 B6232F3A5CC.exe 32 PID 2644 wrote to memory of 1848 2644 B6232F3A5CC.exe 32 PID 2644 wrote to memory of 1848 2644 B6232F3A5CC.exe 32 PID 2644 wrote to memory of 1848 2644 B6232F3A5CC.exe 32 PID 2644 wrote to memory of 1848 2644 B6232F3A5CC.exe 32 PID 2644 wrote to memory of 1848 2644 B6232F3A5CC.exe 32 PID 2644 wrote to memory of 1848 2644 B6232F3A5CC.exe 32 PID 1848 wrote to memory of 2980 1848 B6232F3A5CC.exe 33 PID 1848 wrote to memory of 2980 1848 B6232F3A5CC.exe 33 PID 1848 wrote to memory of 2980 1848 B6232F3A5CC.exe 33 PID 1848 wrote to memory of 2980 1848 B6232F3A5CC.exe 33 PID 1848 wrote to memory of 2980 1848 B6232F3A5CC.exe 33 PID 1848 wrote to memory of 2980 1848 B6232F3A5CC.exe 33 PID 2980 wrote to memory of 2320 2980 F7J4624.exe 28 PID 2980 wrote to memory of 2320 2980 F7J4624.exe 28 PID 2980 wrote to memory of 2320 2980 F7J4624.exe 28 PID 2980 wrote to memory of 2320 2980 F7J4624.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ed6669275b4f7ef72fcb5ca59eafff4.exe"C:\Users\Admin\AppData\Local\Temp\7ed6669275b4f7ef72fcb5ca59eafff4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\7ed6669275b4f7ef72fcb5ca59eafff4.exe"C:\Users\Admin\AppData\Local\Temp\7ed6669275b4f7ef72fcb5ca59eafff4.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\7ed6669275b4f7ef72fcb5ca59eafff4.exe"C:\Users\Admin\AppData\Local\Temp\7ed6669275b4f7ef72fcb5ca59eafff4.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Recycle.Bin\B6232F3A5CC.exe"C:\Recycle.Bin\B6232F3A5CC.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Recycle.Bin\B6232F3A5CC.exe"C:\Recycle.Bin\B6232F3A5CC.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Recycle.Bin\B6232F3A5CC.exe"C:\Recycle.Bin\B6232F3A5CC.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\F7J4624.exe"C:\Users\Admin\AppData\Local\Temp\F7J4624.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD55ea1ba0c78b899b81e777e106cf417d0
SHA1c31ef3cb409d9fe27971e20ffcdd7ad3c60c14f4
SHA256ef0ff68430371ac2a50054b6c35f2a5832f1b56a6946bc8c62ff050be2686f60
SHA51291963381e780021391d56513a0d232445ee1ccfd49baae3831fbcd0e539fab9e008393913cba72d7011aff39a139d0e45cefcfd4024c2cd062b57d2b382e04ce
-
Filesize
3KB
MD529090b6b4d6605a97ac760d06436ac2d
SHA1d929d3389642e52bae5ad8512293c9c4d3e4fab5
SHA25698a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272
SHA5129121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be
-
Filesize
576KB
MD57ed6669275b4f7ef72fcb5ca59eafff4
SHA1bc281b10918e351939cabf0b9ad94714391efa1e
SHA2563d67d225b2cb66e45dab3b88eefc316d6b5da7648f3a4e13939058d64943daf0
SHA5123c62d5e90e004db2e46208f78fdd770ff18795fe7332af1ce0d684263b3ad7fd90108bf301e6d278cfc7adc470a7fa1b225dd56ab0fd752216f68eb909330aba