Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24/02/2024, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
a23154ec6c70e15f8352c7b170e3a7b4.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a23154ec6c70e15f8352c7b170e3a7b4.exe
Resource
win10v2004-20240221-en
General
-
Target
a23154ec6c70e15f8352c7b170e3a7b4.exe
-
Size
18KB
-
MD5
a23154ec6c70e15f8352c7b170e3a7b4
-
SHA1
1f270a5b3c689e76aadf912cb8d4122ca7435a1a
-
SHA256
43fcdb73275eb4922c51f78b6c0a55e36b4e460d0bfcb2a9d83a764d7f526f8c
-
SHA512
8e61cafef28fcf009c1f0da0d770494929c6d8a8161e02c092f9650a18674a04233a6eecd15b680305105649692749628e679e3f0e9261948dea4a36989c5c5b
-
SSDEEP
384:k+YUthRZYLbRTr2P0d9UI4FrJCO97GIKp+YeaTvQMJOmkRNw/:YUBS0PUUDFrJCO96IpYegvTt5/
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run ishost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ishost.exe = "ishost.exe" ishost.exe -
Deletes itself 1 IoCs
pid Process 2492 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3004 ishost.exe 2488 ismini.exe -
Loads dropped DLL 4 IoCs
pid Process 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe 3004 ishost.exe 3004 ishost.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\ishost.exe a23154ec6c70e15f8352c7b170e3a7b4.exe File opened for modification C:\Windows\SysWOW64\ishost.exe a23154ec6c70e15f8352c7b170e3a7b4.exe File created C:\Windows\SysWOW64\ismini.exe ishost.exe File created C:\Windows\SysWOW64\components\flx0.dll ishost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe 3004 ishost.exe 3004 ishost.exe 2488 ismini.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 2488 ismini.exe 3004 ishost.exe 3004 ishost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2932 wrote to memory of 3004 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe 28 PID 2932 wrote to memory of 3004 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe 28 PID 2932 wrote to memory of 3004 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe 28 PID 2932 wrote to memory of 3004 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe 28 PID 3004 wrote to memory of 2488 3004 ishost.exe 29 PID 3004 wrote to memory of 2488 3004 ishost.exe 29 PID 3004 wrote to memory of 2488 3004 ishost.exe 29 PID 3004 wrote to memory of 2488 3004 ishost.exe 29 PID 2932 wrote to memory of 2492 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe 30 PID 2932 wrote to memory of 2492 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe 30 PID 2932 wrote to memory of 2492 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe 30 PID 2932 wrote to memory of 2492 2932 a23154ec6c70e15f8352c7b170e3a7b4.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\a23154ec6c70e15f8352c7b170e3a7b4.exe"C:\Users\Admin\AppData\Local\Temp\a23154ec6c70e15f8352c7b170e3a7b4.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\ishost.exeC:\Windows\system32\ishost.exe2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\ismini.exeC:\Windows\system32\ismini.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A23154~1.EXE > nul2⤵
- Deletes itself
PID:2492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD54ffb3e402a8b86a84b014a929d92a389
SHA179a5e113d2594228832fa669509fe370507b1d34
SHA256728ba8e00efc37791f388b051518da8aafbaa17302c9eb68178765a1833b817f
SHA512439764d2f8365ecea22adb107210be7b64a5cb526c13c923eb7f4d742f2631c8b490b1a18b7d22ad319945ab260aff757b1aff99c301872ebb4f863f817d40d8
-
Filesize
5KB
MD5f8a526f12d2f57d8cfc14faa20ddec12
SHA15f24123bf1d6f3925076d25675a064fc68bec790
SHA2565d4f365147413d8f20e977c5dcbf1b76ab3eb4e10a4feac88e8bf373258dfa4b
SHA512cf08754668f35397b39109e9e6b4efb46d8d6ec2e44bb9a2714ada4789d3991544cb7bec750b88126a8e3ac42761d64a6ef3de9678cc29e86e97067e11c47f8a