Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
b2478cd5f3aed2b56783ea96127f32ee.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
b2478cd5f3aed2b56783ea96127f32ee.exe
Resource
win10v2004-20240226-en
General
-
Target
b2478cd5f3aed2b56783ea96127f32ee.exe
-
Size
413KB
-
MD5
b2478cd5f3aed2b56783ea96127f32ee
-
SHA1
15033a7c206df8dd6bd2dd5a25d94a55a1fc746c
-
SHA256
852ee7dbfabef158cfe8e07c9a04191b7947f31256b25380074b1a6d7ecefe81
-
SHA512
c6e86f02f9b432181bfdf9888dc251f8f4eae3da0faa38e8c17a9eb5b5ace5d26847bf4b95f087c1741525cec282fa36c986753f32dc657edceeca83b44cfe40
-
SSDEEP
6144:n7/7Wn2iBqScSkltGne4D64jdMcmR5HYfEsq4DKxZtmCmUbLZOTvoU:n7TykFILjdbmR54csq4DK/tOTwU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\aH16411NkFjF16411\\aH16411NkFjF16411.exe" b2478cd5f3aed2b56783ea96127f32ee.exe -
Deletes itself 1 IoCs
pid Process 2880 aH16411NkFjF16411.exe -
Executes dropped EXE 1 IoCs
pid Process 2880 aH16411NkFjF16411.exe -
Loads dropped DLL 2 IoCs
pid Process 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe -
resource yara_rule behavioral1/memory/2924-1-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral1/memory/2924-10-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral1/memory/2924-29-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral1/memory/2880-31-0x0000000000400000-0x00000000004D2000-memory.dmp upx behavioral1/memory/2880-38-0x0000000000400000-0x00000000004D2000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\aH16411NkFjF16411 = "C:\\ProgramData\\aH16411NkFjF16411\\aH16411NkFjF16411.exe" aH16411NkFjF16411.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 2924 b2478cd5f3aed2b56783ea96127f32ee.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2924 b2478cd5f3aed2b56783ea96127f32ee.exe Token: SeDebugPrivilege 2880 aH16411NkFjF16411.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2880 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 32 PID 2924 wrote to memory of 2880 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 32 PID 2924 wrote to memory of 2880 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 32 PID 2924 wrote to memory of 2880 2924 b2478cd5f3aed2b56783ea96127f32ee.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\ProgramData\aH16411NkFjF16411\aH16411NkFjF16411.exe"C:\ProgramData\aH16411NkFjF16411\aH16411NkFjF16411.exe" "C:\Users\Admin\AppData\Local\Temp\b2478cd5f3aed2b56783ea96127f32ee.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD57c044b089393fb2ad9f2436bfde4eb70
SHA18550776dcd360f17492dffffed6c1ff1ebf8c1b9
SHA256daeecd3dff540ef742361cd03f4bd987dd499a38cdceee41a272c0145d0e56f3
SHA51296a18879aad1f262acc55a54f6c27731e802b00f6732975aa6c687ed859072083e882122e2a17cf77494dab8bbf156101c65addfee13aeb7d5f67b1713471020
-
Filesize
413KB
MD529ffc1fbdbc95e9d59ef5e6de9ab2219
SHA1704c5abdeb2aea0a30708ec8e1273b054c5370e1
SHA2562ce45c4425feec8ee35c34144f18892fedda4f642ddd6baea0ef7b93a7d9507e
SHA512f7e08882481ea709e985693d82e238588394a40110ce343d42ac68c0d9ccbdce19a8a5859be9a675d6fded84acf85b2eeb8faf6a24748c249e0e28c124a0cc42