Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14/02/2024, 07:32
Static task
static1
Behavioral task
behavioral1
Sample
9b1fbfd63513103ee14c85f72db99c96.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9b1fbfd63513103ee14c85f72db99c96.exe
Resource
win10v2004-20231215-en
Errors
General
-
Target
9b1fbfd63513103ee14c85f72db99c96.exe
-
Size
685KB
-
MD5
9b1fbfd63513103ee14c85f72db99c96
-
SHA1
83df19cfd98ff18cde9a5335f00c96b87ba64284
-
SHA256
cf29a82a5b1592480fef0ef8f5a3ccc49721cebd64bfc0932a2709eeecaffd13
-
SHA512
06a70b75a69d8f38ebf87fadb377dab34c5306a87fa352eddd1c39528456f286f37189f4190a62f2d388b8de937414a217f17bd7168ee31f713d27f270c25123
-
SSDEEP
12288:3rJ7482eDChzUlPY7oMDmzZ0FDAhCF3Z4mxxqi4Fv81knkstG:7Jk82e+ax1MDs0FDAUQmXtRku
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2836 SERVER~1.EXE 2720 Hacker.exe -
Loads dropped DLL 2 IoCs
pid Process 2080 9b1fbfd63513103ee14c85f72db99c96.exe 2080 9b1fbfd63513103ee14c85f72db99c96.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9b1fbfd63513103ee14c85f72db99c96.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.exe SERVER~1.EXE File opened for modification C:\Windows\Hacker.exe SERVER~1.EXE File created C:\Windows\uninstal.bat SERVER~1.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2836 SERVER~1.EXE Token: SeDebugPrivilege 2720 Hacker.exe Token: SeShutdownPrivilege 2080 9b1fbfd63513103ee14c85f72db99c96.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2720 Hacker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2836 2080 9b1fbfd63513103ee14c85f72db99c96.exe 28 PID 2080 wrote to memory of 2836 2080 9b1fbfd63513103ee14c85f72db99c96.exe 28 PID 2080 wrote to memory of 2836 2080 9b1fbfd63513103ee14c85f72db99c96.exe 28 PID 2080 wrote to memory of 2836 2080 9b1fbfd63513103ee14c85f72db99c96.exe 28 PID 2720 wrote to memory of 1756 2720 Hacker.exe 30 PID 2720 wrote to memory of 1756 2720 Hacker.exe 30 PID 2720 wrote to memory of 1756 2720 Hacker.exe 30 PID 2720 wrote to memory of 1756 2720 Hacker.exe 30 PID 2836 wrote to memory of 2776 2836 SERVER~1.EXE 31 PID 2836 wrote to memory of 2776 2836 SERVER~1.EXE 31 PID 2836 wrote to memory of 2776 2836 SERVER~1.EXE 31 PID 2836 wrote to memory of 2776 2836 SERVER~1.EXE 31 PID 2836 wrote to memory of 2776 2836 SERVER~1.EXE 31 PID 2836 wrote to memory of 2776 2836 SERVER~1.EXE 31 PID 2836 wrote to memory of 2776 2836 SERVER~1.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b1fbfd63513103ee14c85f72db99c96.exe"C:\Users\Admin\AppData\Local\Temp\9b1fbfd63513103ee14c85f72db99c96.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat3⤵PID:2776
-
-
-
C:\Windows\Hacker.exeC:\Windows\Hacker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1756
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2584
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164B
MD5924ea7ae6df752587469376459875c51
SHA1ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1
SHA25646c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09
SHA512ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35
-
Filesize
743KB
MD5b2e9487a4c2f70600bb28e6dccd8ffeb
SHA11044b1d7151381f734e243b453742dba00f64f84
SHA256f00029218cf5e01fd386fc84a854d39bd35068cffe0035104832836428f0a207
SHA512d89b77770cab9cac697ca193aa42271c8d7cf7e09a1e3c6231db957d44d753b521b09a862294fee96ac0ea85c207d1a8a005317081c072df8332f22530245105