Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 13:57
Static task
static1
Behavioral task
behavioral1
Sample
b24c0f35024293aba2c08d62ee4b494f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b24c0f35024293aba2c08d62ee4b494f.exe
Resource
win10v2004-20240226-en
General
-
Target
b24c0f35024293aba2c08d62ee4b494f.exe
-
Size
404KB
-
MD5
b24c0f35024293aba2c08d62ee4b494f
-
SHA1
dc2d6b8cb8f5ba1c437cd5c7530e97d628e0dfd4
-
SHA256
675094bb85363d821052301a2f487fd0981d2df2ba36ca6529a31bbcf727dab0
-
SHA512
4cc581a2a26099c724d19cc5803528d5988fa817e9ad187014a935ec6925428d54f9d82b2ad8734b50553ace599267ce1aec03d9dd1d5b2c5c8caf6700b3f235
-
SSDEEP
12288:wGrIJ2JC5PCj9AYY75CYMGyu0rFFCfVH:ZrIJ2JC5qjit5lFyuZf
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b24c0f35024293aba2c08d62ee4b494f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b24c0f35024293aba2c08d62ee4b494f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b24c0f35024293aba2c08d62ee4b494f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b24c0f35024293aba2c08d62ee4b494f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" b24c0f35024293aba2c08d62ee4b494f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b24c0f35024293aba2c08d62ee4b494f.exe -
Disables taskbar notifications via registry modification
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc b24c0f35024293aba2c08d62ee4b494f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" b24c0f35024293aba2c08d62ee4b494f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b24c0f35024293aba2c08d62ee4b494f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b24c0f35024293aba2c08d62ee4b494f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b24c0f35024293aba2c08d62ee4b494f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" b24c0f35024293aba2c08d62ee4b494f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b24c0f35024293aba2c08d62ee4b494f.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc b24c0f35024293aba2c08d62ee4b494f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\A2DBCF470045EF4917763CF5F875EF60 = "C:\\ProgramData\\A2DBCF470045EF4917763CF5F875EF60\\A2DBCF470045EF4917763CF5F875EF60.exe" b24c0f35024293aba2c08d62ee4b494f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b24c0f35024293aba2c08d62ee4b494f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2368 b24c0f35024293aba2c08d62ee4b494f.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2368 b24c0f35024293aba2c08d62ee4b494f.exe 2368 b24c0f35024293aba2c08d62ee4b494f.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System b24c0f35024293aba2c08d62ee4b494f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b24c0f35024293aba2c08d62ee4b494f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b24c0f35024293aba2c08d62ee4b494f.exe"C:\Users\Admin\AppData\Local\Temp\b24c0f35024293aba2c08d62ee4b494f.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2368
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1