Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/02/2024, 18:30
Static task
static1
Behavioral task
behavioral1
Sample
student.exe
Resource
win7-20231215-en
General
-
Target
student.exe
-
Size
5.1MB
-
MD5
8748891eb1584c4502a15577d3075d41
-
SHA1
e0304bd87d1e7516ca6f49d8896fa8498b830ab5
-
SHA256
f2167589cc58e0bbb31100da792d13a9bcb8e98e511aa2405e896223a11ddabd
-
SHA512
a2c46761b31050f319f55d6e2de35ee59f22d427e9edf2f7a7061922aeafde44b56cdc6165e0523d01f21dacf20013d6eb10ce1b4627134b6d8e866de9169024
-
SSDEEP
98304:Rx9iA5FR7kozLG5k4iugdOsmX6Xpcvy3r3MKpeGVxG06Puy+1M:Rx935FJfzLjunX6XpmGVwyy+G
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile student.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" student.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile student.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" student.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2688 NETSH.EXE 2804 NETSH.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: student.exe File opened (read-only) \??\U: student.exe File opened (read-only) \??\L: student.exe File opened (read-only) \??\K: student.exe File opened (read-only) \??\R: student.exe File opened (read-only) \??\Z: student.exe File opened (read-only) \??\V: student.exe File opened (read-only) \??\T: student.exe File opened (read-only) \??\O: student.exe File opened (read-only) \??\M: student.exe File opened (read-only) \??\I: student.exe File opened (read-only) \??\H: student.exe File opened (read-only) \??\W: student.exe File opened (read-only) \??\S: student.exe File opened (read-only) \??\P: student.exe File opened (read-only) \??\N: student.exe File opened (read-only) \??\G: student.exe File opened (read-only) \??\Y: student.exe File opened (read-only) \??\X: student.exe File opened (read-only) \??\Q: student.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" student.exe Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" student.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3028 student.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3028 student.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeTcbPrivilege 3028 student.exe Token: SeDebugPrivilege 3028 student.exe Token: SeTcbPrivilege 3028 student.exe Token: SeTcbPrivilege 3028 student.exe Token: SeBackupPrivilege 3028 student.exe Token: SeTcbPrivilege 3028 student.exe Token: SeTcbPrivilege 3028 student.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3028 student.exe 3028 student.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3028 student.exe 3028 student.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3028 student.exe 3028 student.exe 3028 student.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2688 3028 student.exe 28 PID 3028 wrote to memory of 2688 3028 student.exe 28 PID 3028 wrote to memory of 2688 3028 student.exe 28 PID 3028 wrote to memory of 2688 3028 student.exe 28 PID 3028 wrote to memory of 2804 3028 student.exe 30 PID 3028 wrote to memory of 2804 3028 student.exe 30 PID 3028 wrote to memory of 2804 3028 student.exe 30 PID 3028 wrote to memory of 2804 3028 student.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\student.exe"C:\Users\Admin\AppData\Local\Temp\student.exe"1⤵
- Modifies firewall policy service
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\NETSH.EXE"C:\Windows\system32\NETSH.EXE" advfirewall firewall delete rule name="LanSchool Student"2⤵
- Modifies Windows Firewall
PID:2688
-
-
C:\Windows\SysWOW64\NETSH.EXE"C:\Windows\system32\NETSH.EXE" advfirewall firewall add rule name="LanSchool Student" dir=in program="C:\Users\Admin\AppData\Local\Temp\student.exe" action=allow2⤵
- Modifies Windows Firewall
PID:2804
-