Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 14:49
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_8b6c087ce23acbe5540e2e799e215010.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
VirusShare_8b6c087ce23acbe5540e2e799e215010.exe
Resource
win10v2004-20231215-en
General
-
Target
VirusShare_8b6c087ce23acbe5540e2e799e215010.exe
-
Size
346KB
-
MD5
8b6c087ce23acbe5540e2e799e215010
-
SHA1
6f4d9a8e3fb4dcc9e71ac88a2042f86873ba9593
-
SHA256
26b61a616d9ff0fc7e76c5c5d5058b6a05eec82c16b8206b0a3f057e82e23e71
-
SHA512
31a76bf4230f2683d768917c172a12f898f309cef4dae9087aecf6f70b66a32c6de2b79c66564db0661901306d0cef029446be0f337479a756d9ff656512228d
-
SSDEEP
6144:ltdN0c+xadEDmU5JXN4/6/1B4fAd9r+KJQlStcZeNtC/ZfyBeNPTfW:rD0c+0EjX4/6/1B4fAd9KKJ6fIORqkNy
Malware Config
Extracted
gozi
1002
lolila.net
vndjtu968488.ru
moriyurw368798.ru
-
build
213425
-
exe_type
worker
Extracted
gozi
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 2700 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\colodxof = "C:\\Windows\\system32\\apdsorui.exe" VirusShare_8b6c087ce23acbe5540e2e799e215010.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\apdsorui.exe VirusShare_8b6c087ce23acbe5540e2e799e215010.exe File opened for modification C:\Windows\system32\apdsorui.exe VirusShare_8b6c087ce23acbe5540e2e799e215010.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64F0.tmp" VirusShare_8b6c087ce23acbe5540e2e799e215010.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" VirusShare_8b6c087ce23acbe5540e2e799e215010.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2220 set thread context of 2636 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2636 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2636 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2636 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 28 PID 2220 wrote to memory of 2636 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 28 PID 2220 wrote to memory of 2636 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 28 PID 2220 wrote to memory of 2636 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 28 PID 2220 wrote to memory of 2636 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 28 PID 2220 wrote to memory of 2636 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 28 PID 2220 wrote to memory of 2636 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 28 PID 2220 wrote to memory of 2700 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 30 PID 2220 wrote to memory of 2700 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 30 PID 2220 wrote to memory of 2700 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 30 PID 2220 wrote to memory of 2700 2220 VirusShare_8b6c087ce23acbe5540e2e799e215010.exe 30 PID 2700 wrote to memory of 2708 2700 cmd.exe 31 PID 2700 wrote to memory of 2708 2700 cmd.exe 31 PID 2700 wrote to memory of 2708 2700 cmd.exe 31 PID 2700 wrote to memory of 2708 2700 cmd.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2708 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8997.bat" "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE"3⤵
- Views/modifies file attributes
PID:2708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD56fbd6d86b3df3397503041edb0f46594
SHA181e61f06be95f813d806574eb563f4a71503b352
SHA256494d6a3fda8a560321974a18fc07e1e35df7c3b7e2ec880ef016ebbbb5ad160b
SHA512e3ec7013010d3ba871e63a9fa43196da9158c3de2844e11030645045a289d2f1a7e780be2929e182ff6e55412842111910ef41878ecf552a605d09367e54bf6d