Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    106s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2024, 10:48

General

  • Target

    a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe

  • Size

    387KB

  • MD5

    a1ad43760d7a2edb0f7fbc3b9cdc6e9e

  • SHA1

    b55d0ccb64a65bd608dafd27d6d57bf6fdb49267

  • SHA256

    c40fe14a6a93721e76c9a11fa65e07509a91050c34287f822be74116e1635ed6

  • SHA512

    d92c2d970f7880b1179f9d5c22725b466bed45f92ec37efda6bf48cb47bc06bd64b7d0387876368f3df7c597214ba6178c30a79a99174bd522ef5e2abe6b6676

  • SSDEEP

    6144:gknN4CVUIm6uk06ZLYgvBA+8xmrxgmA+3cclptVopAfC:FnNhuBoY8SorxgmA+nlvVlfC

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Sets file execution options in registry 2 TTPs 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe
    "C:\Users\Admin\AppData\Local\Temp\a1ad43760d7a2edb0f7fbc3b9cdc6e9e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies security service
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Sets file execution options in registry
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2252
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C net stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\net.exe
        net stop "Security Center"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Security Center"
          4⤵
            PID:2556
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C net stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\SysWOW64\net.exe
          net stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2516
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
            4⤵
              PID:2704
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C AT /delete /yes
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\SysWOW64\at.exe
            AT /delete /yes
            3⤵
              PID:2664
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /C AT 12:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\iexplorer.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2472
            • C:\Windows\SysWOW64\at.exe
              AT 12:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\iexplorer.exe
              3⤵
                PID:2908

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Autorun.inf

            Filesize

            280B

            MD5

            ba9fa2ff95cf51c5e241551ed3eef925

            SHA1

            e3025f0a039f861dd04101aae9c120f85fe3a707

            SHA256

            be203907c52ec704c53a4179b9cbb87e0a12724d9b3e5c22e36cbf18abba13b1

            SHA512

            59274af7c19ddf587d796090fa34a90300df62e9e6fc2bf16f4bcdb7553b58b6e7429426cd98ea632106fd19adc706bc91acd86b4ac8ce5081f13552aac96272

          • C:\ProgramData\Exe_Debuger.ini

            Filesize

            1KB

            MD5

            0cc4099d2bfc1c57e75eacbfdb10baa9

            SHA1

            7f31bf47fa30506855d401bff2f478b819a92376

            SHA256

            ab071cb8343b1b0536dc145b63671e926d85acf4530ed266879bb1d6a8d1cbdf

            SHA512

            99c52f8ff0fbdcf1d4dc8588d19035f73d4c8ade42121943bd9195dc5ffc1ab08a203cb06c0fa79e2e402878848b7989e46b681a51af298fc883a07ead1dd230

          • C:\ProgramData\windows-update.exe

            Filesize

            1KB

            MD5

            36ff29063c5fd211507b38e0a62251f2

            SHA1

            bc26847e4a5bbe329b499dbb566eeaee105094e5

            SHA256

            979d16daefa6dee37ccbdad26412856740dd95814e4b224fa0788d3e9872f021

            SHA512

            7af6a11841c1439ac9c6febbe03899df144abef3b7c80e95640e66453d2dc1895a77de235e9088f58e96aadac50cd71c0a5bad0b56a0ccdb0cfb54f6ecb7a4a7

          • C:\Windows\SysWOW64\iexplorer.exe

            Filesize

            387KB

            MD5

            a1ad43760d7a2edb0f7fbc3b9cdc6e9e

            SHA1

            b55d0ccb64a65bd608dafd27d6d57bf6fdb49267

            SHA256

            c40fe14a6a93721e76c9a11fa65e07509a91050c34287f822be74116e1635ed6

            SHA512

            d92c2d970f7880b1179f9d5c22725b466bed45f92ec37efda6bf48cb47bc06bd64b7d0387876368f3df7c597214ba6178c30a79a99174bd522ef5e2abe6b6676

          • memory/2252-71-0x0000000000400000-0x00000000004CE000-memory.dmp

            Filesize

            824KB

          • memory/2252-70-0x0000000006520000-0x0000000006521000-memory.dmp

            Filesize

            4KB

          • memory/2252-0-0x0000000000400000-0x00000000004CE000-memory.dmp

            Filesize

            824KB

          • memory/2252-73-0x0000000000400000-0x00000000004CE000-memory.dmp

            Filesize

            824KB

          • memory/2252-74-0x0000000006520000-0x0000000006521000-memory.dmp

            Filesize

            4KB

          • memory/2252-76-0x0000000000400000-0x00000000004CE000-memory.dmp

            Filesize

            824KB

          • memory/2252-77-0x0000000000400000-0x00000000004CE000-memory.dmp

            Filesize

            824KB

          • memory/2252-79-0x0000000000400000-0x00000000004CE000-memory.dmp

            Filesize

            824KB

          • memory/2252-83-0x0000000000400000-0x00000000004CE000-memory.dmp

            Filesize

            824KB

          • memory/2252-87-0x0000000000400000-0x00000000004CE000-memory.dmp

            Filesize

            824KB