Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
b249dcfbe72dc741c6cdef6a19a052ec.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b249dcfbe72dc741c6cdef6a19a052ec.exe
Resource
win10v2004-20240226-en
General
-
Target
b249dcfbe72dc741c6cdef6a19a052ec.exe
-
Size
294KB
-
MD5
b249dcfbe72dc741c6cdef6a19a052ec
-
SHA1
53163fcc6db4fa759a9e0e33f3944c1b6371eed3
-
SHA256
90aba696da20cc79658922318e2624eb5ddea6cd5c08bea2018617ae79026da3
-
SHA512
e2c680db5625208bc4d8656a1a4718c5fa6f06c325039a93de0361e1846c9ff9779d86af311d0278910718a62f04af899b9af8fbaa2fb5c86373bc997c5da072
-
SSDEEP
6144:NiGtsLBZAlqNC+Y+1PTG/qm/PgCnmUSFMhl4Q0+M/oI29QKS:gGtsLBWt+d1PTEn/iUSFM8Q0+rI2jS
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2368 mywi.exe -
Loads dropped DLL 2 IoCs
pid Process 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9EC938C8-8543-AD4E-DD27-CD48CA2DEE55} = "C:\\Users\\Admin\\AppData\\Roaming\\Vubau\\mywi.exe" mywi.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1992 set thread context of 2160 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 29 -
Program crash 1 IoCs
pid pid_target Process procid_target 1264 2160 WerFault.exe 29 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" b249dcfbe72dc741c6cdef6a19a052ec.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Privacy b249dcfbe72dc741c6cdef6a19a052ec.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe 2368 mywi.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 2368 mywi.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2368 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 28 PID 1992 wrote to memory of 2368 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 28 PID 1992 wrote to memory of 2368 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 28 PID 1992 wrote to memory of 2368 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 28 PID 2368 wrote to memory of 1060 2368 mywi.exe 18 PID 2368 wrote to memory of 1060 2368 mywi.exe 18 PID 2368 wrote to memory of 1060 2368 mywi.exe 18 PID 2368 wrote to memory of 1060 2368 mywi.exe 18 PID 2368 wrote to memory of 1060 2368 mywi.exe 18 PID 2368 wrote to memory of 1152 2368 mywi.exe 20 PID 2368 wrote to memory of 1152 2368 mywi.exe 20 PID 2368 wrote to memory of 1152 2368 mywi.exe 20 PID 2368 wrote to memory of 1152 2368 mywi.exe 20 PID 2368 wrote to memory of 1152 2368 mywi.exe 20 PID 2368 wrote to memory of 1188 2368 mywi.exe 21 PID 2368 wrote to memory of 1188 2368 mywi.exe 21 PID 2368 wrote to memory of 1188 2368 mywi.exe 21 PID 2368 wrote to memory of 1188 2368 mywi.exe 21 PID 2368 wrote to memory of 1188 2368 mywi.exe 21 PID 2368 wrote to memory of 1456 2368 mywi.exe 23 PID 2368 wrote to memory of 1456 2368 mywi.exe 23 PID 2368 wrote to memory of 1456 2368 mywi.exe 23 PID 2368 wrote to memory of 1456 2368 mywi.exe 23 PID 2368 wrote to memory of 1456 2368 mywi.exe 23 PID 2368 wrote to memory of 1992 2368 mywi.exe 27 PID 2368 wrote to memory of 1992 2368 mywi.exe 27 PID 2368 wrote to memory of 1992 2368 mywi.exe 27 PID 2368 wrote to memory of 1992 2368 mywi.exe 27 PID 2368 wrote to memory of 1992 2368 mywi.exe 27 PID 1992 wrote to memory of 2160 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 29 PID 1992 wrote to memory of 2160 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 29 PID 1992 wrote to memory of 2160 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 29 PID 1992 wrote to memory of 2160 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 29 PID 1992 wrote to memory of 2160 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 29 PID 1992 wrote to memory of 2160 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 29 PID 1992 wrote to memory of 2160 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 29 PID 1992 wrote to memory of 2160 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 29 PID 1992 wrote to memory of 2160 1992 b249dcfbe72dc741c6cdef6a19a052ec.exe 29 PID 2160 wrote to memory of 1264 2160 cmd.exe 31 PID 2160 wrote to memory of 1264 2160 cmd.exe 31 PID 2160 wrote to memory of 1264 2160 cmd.exe 31 PID 2160 wrote to memory of 1264 2160 cmd.exe 31 PID 2368 wrote to memory of 2044 2368 mywi.exe 30 PID 2368 wrote to memory of 2044 2368 mywi.exe 30 PID 2368 wrote to memory of 2044 2368 mywi.exe 30 PID 2368 wrote to memory of 2044 2368 mywi.exe 30 PID 2368 wrote to memory of 2044 2368 mywi.exe 30 PID 2368 wrote to memory of 1264 2368 mywi.exe 31 PID 2368 wrote to memory of 1264 2368 mywi.exe 31 PID 2368 wrote to memory of 1264 2368 mywi.exe 31 PID 2368 wrote to memory of 1264 2368 mywi.exe 31 PID 2368 wrote to memory of 1264 2368 mywi.exe 31
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1060
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\b249dcfbe72dc741c6cdef6a19a052ec.exe"C:\Users\Admin\AppData\Local\Temp\b249dcfbe72dc741c6cdef6a19a052ec.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Roaming\Vubau\mywi.exe"C:\Users\Admin\AppData\Roaming\Vubau\mywi.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2368
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb9d8a901.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1124⤵
- Program crash
PID:1264
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1456
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-15327495092059029896608600068-1704279424-499724045-312915142-1734203391-623858314"1⤵PID:2044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294KB
MD555d0afb20708a172653e5fe694987d62
SHA124f0fe99545293a66e9924d9a4268bfad9d2114d
SHA256ae97aa492cf245d3acc1728ce1b7e307fd5c72daaeb09b7381f8c5fef57f446b
SHA512659b3128abc3f25e4db61363e9cce1f945e2383a4c59a907c10ee29b8ba51ca099ccd30fe75cfb3c88f8e4049fd9b167a5356c95c82d6e6dd7383caa240e089f