Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
14/02/2024, 04:27
240214-e28z5sac24 714/02/2024, 04:11
240214-erxjcsgf8z 1014/02/2024, 04:02
240214-els9rahf93 10Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14/02/2024, 04:11
Behavioral task
behavioral1
Sample
Keygen.exe
Resource
win7-20231215-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
Keygen.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
30 signatures
150 seconds
General
-
Target
Keygen.exe
-
Size
200KB
-
MD5
9718045f5002b741172a6c659e3b97fd
-
SHA1
101403393b50c9de54efc4370d078922ba5f7c47
-
SHA256
2a8eea400ff4d71f70d7d3b5d5ff6e636a98c84fbcb6217d5ac705a10a3b1fa7
-
SHA512
2a68394fba1c7585d8c37fd5811285d064579a411e7d7b0616a17164f3ddccc15557e35062b03f3c5a4634b00913dad71d1756d94683571dedab8423372a9a88
-
SSDEEP
3072:9EbmpgY+Iu0VSdVe4DOprtjG+URYEPZL4jAoI0PRy2XDZd+p6ewDejhqrY5S/+9T:O93Iwe4qDjGR/y0oDdNd+E2qrvWIMk
Score
8/10
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Keygen.exe -
resource yara_rule behavioral1/memory/1048-0-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1048-3-0x0000000000400000-0x0000000000455000-memory.dmp upx -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: Keygen.exe File opened (read-only) \??\g: Keygen.exe File opened (read-only) \??\y: Keygen.exe File opened (read-only) \??\q: Keygen.exe File opened (read-only) \??\m: Keygen.exe File opened (read-only) \??\j: Keygen.exe File opened (read-only) \??\k: Keygen.exe File opened (read-only) \??\v: Keygen.exe File opened (read-only) \??\u: Keygen.exe File opened (read-only) \??\p: Keygen.exe File opened (read-only) \??\n: Keygen.exe File opened (read-only) \??\e: Keygen.exe File opened (read-only) \??\z: Keygen.exe File opened (read-only) \??\x: Keygen.exe File opened (read-only) \??\s: Keygen.exe File opened (read-only) \??\l: Keygen.exe File opened (read-only) \??\h: Keygen.exe File opened (read-only) \??\w: Keygen.exe File opened (read-only) \??\t: Keygen.exe File opened (read-only) \??\r: Keygen.exe File opened (read-only) \??\o: Keygen.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\mssys.dll Keygen.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe -
Suspicious behavior: MapViewOfSection 21 IoCs
pid Process 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe 1048 Keygen.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1048 Keygen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 384 1048 Keygen.exe 25 PID 1048 wrote to memory of 384 1048 Keygen.exe 25 PID 1048 wrote to memory of 384 1048 Keygen.exe 25 PID 1048 wrote to memory of 384 1048 Keygen.exe 25 PID 1048 wrote to memory of 384 1048 Keygen.exe 25 PID 1048 wrote to memory of 384 1048 Keygen.exe 25 PID 1048 wrote to memory of 384 1048 Keygen.exe 25 PID 1048 wrote to memory of 400 1048 Keygen.exe 24 PID 1048 wrote to memory of 400 1048 Keygen.exe 24 PID 1048 wrote to memory of 400 1048 Keygen.exe 24 PID 1048 wrote to memory of 400 1048 Keygen.exe 24 PID 1048 wrote to memory of 400 1048 Keygen.exe 24 PID 1048 wrote to memory of 400 1048 Keygen.exe 24 PID 1048 wrote to memory of 400 1048 Keygen.exe 24 PID 1048 wrote to memory of 436 1048 Keygen.exe 23 PID 1048 wrote to memory of 436 1048 Keygen.exe 23 PID 1048 wrote to memory of 436 1048 Keygen.exe 23 PID 1048 wrote to memory of 436 1048 Keygen.exe 23 PID 1048 wrote to memory of 436 1048 Keygen.exe 23 PID 1048 wrote to memory of 436 1048 Keygen.exe 23 PID 1048 wrote to memory of 436 1048 Keygen.exe 23 PID 1048 wrote to memory of 480 1048 Keygen.exe 22 PID 1048 wrote to memory of 480 1048 Keygen.exe 22 PID 1048 wrote to memory of 480 1048 Keygen.exe 22 PID 1048 wrote to memory of 480 1048 Keygen.exe 22 PID 1048 wrote to memory of 480 1048 Keygen.exe 22 PID 1048 wrote to memory of 480 1048 Keygen.exe 22 PID 1048 wrote to memory of 480 1048 Keygen.exe 22 PID 1048 wrote to memory of 496 1048 Keygen.exe 21 PID 1048 wrote to memory of 496 1048 Keygen.exe 21 PID 1048 wrote to memory of 496 1048 Keygen.exe 21 PID 1048 wrote to memory of 496 1048 Keygen.exe 21 PID 1048 wrote to memory of 496 1048 Keygen.exe 21 PID 1048 wrote to memory of 496 1048 Keygen.exe 21 PID 1048 wrote to memory of 496 1048 Keygen.exe 21 PID 1048 wrote to memory of 504 1048 Keygen.exe 1 PID 1048 wrote to memory of 504 1048 Keygen.exe 1 PID 1048 wrote to memory of 504 1048 Keygen.exe 1 PID 1048 wrote to memory of 504 1048 Keygen.exe 1 PID 1048 wrote to memory of 504 1048 Keygen.exe 1 PID 1048 wrote to memory of 504 1048 Keygen.exe 1 PID 1048 wrote to memory of 504 1048 Keygen.exe 1 PID 1048 wrote to memory of 616 1048 Keygen.exe 20 PID 1048 wrote to memory of 616 1048 Keygen.exe 20 PID 1048 wrote to memory of 616 1048 Keygen.exe 20 PID 1048 wrote to memory of 616 1048 Keygen.exe 20 PID 1048 wrote to memory of 616 1048 Keygen.exe 20 PID 1048 wrote to memory of 616 1048 Keygen.exe 20 PID 1048 wrote to memory of 616 1048 Keygen.exe 20 PID 1048 wrote to memory of 696 1048 Keygen.exe 19 PID 1048 wrote to memory of 696 1048 Keygen.exe 19 PID 1048 wrote to memory of 696 1048 Keygen.exe 19 PID 1048 wrote to memory of 696 1048 Keygen.exe 19 PID 1048 wrote to memory of 696 1048 Keygen.exe 19 PID 1048 wrote to memory of 696 1048 Keygen.exe 19 PID 1048 wrote to memory of 696 1048 Keygen.exe 19 PID 1048 wrote to memory of 760 1048 Keygen.exe 18 PID 1048 wrote to memory of 760 1048 Keygen.exe 18 PID 1048 wrote to memory of 760 1048 Keygen.exe 18 PID 1048 wrote to memory of 760 1048 Keygen.exe 18 PID 1048 wrote to memory of 760 1048 Keygen.exe 18 PID 1048 wrote to memory of 760 1048 Keygen.exe 18 PID 1048 wrote to memory of 760 1048 Keygen.exe 18 PID 1048 wrote to memory of 828 1048 Keygen.exe 17
Processes
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:504
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:2132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵PID:2568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1320
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"2⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵PID:1080
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵PID:284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:856
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵PID:828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵PID:696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:616
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:496
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:480
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:400
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384