Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 13:29
Static task
static1
Behavioral task
behavioral1
Sample
8c715b595c817d0329225d6ac38f589c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8c715b595c817d0329225d6ac38f589c.exe
Resource
win10v2004-20231222-en
General
-
Target
8c715b595c817d0329225d6ac38f589c.exe
-
Size
1.4MB
-
MD5
8c715b595c817d0329225d6ac38f589c
-
SHA1
7f4fd357056b846cf0ba7d27af3b9cbb59f18fa9
-
SHA256
e46615f5b0889ce0e5ad823d3d9ac0cb096765ce42c57d48ab33a85d341ad1e0
-
SHA512
9da7288367be001fd951335841d8ded0d1bcf41c15a41dae521cf28c30bfd080121f7899885bca06dd34f2679dd9d94d521a147ca482d1cf52a6c9c68f27c9e4
-
SSDEEP
24576:wL0mqdRkD33/hnheiisfPxREPu3sjleyqULE1XOu6JPX3Jmj:wolODnreAfJREze7/XOdpnU
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts services.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe services.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe services.exe -
Executes dropped EXE 1 IoCs
pid Process 2836 services.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows OS = "C:\\Program Files\\Internet Explorer\\services.exe" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft Windows OS = "C:\\Program Files\\Internet Explorer\\services.exe" services.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 8c715b595c817d0329225d6ac38f589c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 8c715b595c817d0329225d6ac38f589c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum services.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 services.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\services.exe 8c715b595c817d0329225d6ac38f589c.exe File opened for modification C:\Program Files\Internet Explorer\services.exe 8c715b595c817d0329225d6ac38f589c.exe File created C:\Program Files\Internet Explorer\ID.Conf services.exe File opened for modification C:\Program Files\Internet Explorer\services.exe services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2456 8c715b595c817d0329225d6ac38f589c.exe 2456 8c715b595c817d0329225d6ac38f589c.exe 2456 8c715b595c817d0329225d6ac38f589c.exe 2456 8c715b595c817d0329225d6ac38f589c.exe 2456 8c715b595c817d0329225d6ac38f589c.exe 2456 8c715b595c817d0329225d6ac38f589c.exe 2456 8c715b595c817d0329225d6ac38f589c.exe 2456 8c715b595c817d0329225d6ac38f589c.exe 2456 8c715b595c817d0329225d6ac38f589c.exe 2456 8c715b595c817d0329225d6ac38f589c.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe 2836 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2456 8c715b595c817d0329225d6ac38f589c.exe Token: SeDebugPrivilege 2836 services.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2836 2456 8c715b595c817d0329225d6ac38f589c.exe 28 PID 2456 wrote to memory of 2836 2456 8c715b595c817d0329225d6ac38f589c.exe 28 PID 2456 wrote to memory of 2836 2456 8c715b595c817d0329225d6ac38f589c.exe 28 PID 2836 wrote to memory of 2728 2836 services.exe 29 PID 2836 wrote to memory of 2728 2836 services.exe 29 PID 2836 wrote to memory of 2728 2836 services.exe 29 PID 2728 wrote to memory of 2560 2728 cmd.exe 31 PID 2728 wrote to memory of 2560 2728 cmd.exe 31 PID 2728 wrote to memory of 2560 2728 cmd.exe 31 PID 2560 wrote to memory of 2556 2560 net.exe 32 PID 2560 wrote to memory of 2556 2560 net.exe 32 PID 2560 wrote to memory of 2556 2560 net.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c715b595c817d0329225d6ac38f589c.exe"C:\Users\Admin\AppData\Local\Temp\8c715b595c817d0329225d6ac38f589c.exe"1⤵
- Maps connected drives based on registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Program Files\Internet Explorer\services.exe"C:\Program Files\Internet Explorer\services.exe"2⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\cmd.execmd.exe /c net stop "Security Center"3⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\system32\net.exenet stop "Security Center"4⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Security Center"5⤵PID:2556
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD58c715b595c817d0329225d6ac38f589c
SHA17f4fd357056b846cf0ba7d27af3b9cbb59f18fa9
SHA256e46615f5b0889ce0e5ad823d3d9ac0cb096765ce42c57d48ab33a85d341ad1e0
SHA5129da7288367be001fd951335841d8ded0d1bcf41c15a41dae521cf28c30bfd080121f7899885bca06dd34f2679dd9d94d521a147ca482d1cf52a6c9c68f27c9e4