Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 14:08
Behavioral task
behavioral1
Sample
b252cb3de743f519b3409c66d6a8e9f8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b252cb3de743f519b3409c66d6a8e9f8.exe
Resource
win10v2004-20240226-en
General
-
Target
b252cb3de743f519b3409c66d6a8e9f8.exe
-
Size
38KB
-
MD5
b252cb3de743f519b3409c66d6a8e9f8
-
SHA1
8d7f53af5a7984016b262a4bf7b62289ee74f7e6
-
SHA256
878e5871058ed5b52b82a37713ed64dea749c6744b866da1d725f2f54825d250
-
SHA512
7ca81fa58d035ddc11564ea0b81ba87927eb33ab7b30a912fb6b4c2215c24b0b09251647289aee7d7e0991d860950dc64b5f0055b4ba816e5f0ce83548f4d4a0
-
SSDEEP
768:Rs3WTnYMR+epEy3r6PGFjJ5H8uWxxKDw0sJd0IGyKJfWHEx5J:WGt5JWnKDw00SUKNFTJ
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2212-0-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2212-2-0x0000000000400000-0x0000000000445000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\directgo = "\"C:\\Program Files (x86)\\directgo\\directgo.exe\" /start" b252cb3de743f519b3409c66d6a8e9f8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415723180" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ADC79E51-DA30-11EE-9B4A-6E6327E9C5D7} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 920 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 920 iexplore.exe 920 iexplore.exe 2472 IEXPLORE.EXE 2472 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 920 wrote to memory of 2472 920 iexplore.exe 29 PID 920 wrote to memory of 2472 920 iexplore.exe 29 PID 920 wrote to memory of 2472 920 iexplore.exe 29 PID 920 wrote to memory of 2472 920 iexplore.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\b252cb3de743f519b3409c66d6a8e9f8.exe"C:\Users\Admin\AppData\Local\Temp\b252cb3de743f519b3409c66d6a8e9f8.exe"1⤵
- Adds Run key to start application
PID:2212
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fb50ab5b73d480ca5d4f70b87df41178
SHA1f4148c5d5ecd6d9fe1ceb8b15ebdfd24c18f99f7
SHA2564e5d0a8f68e7318ce1e8d8802e3857d053055a2194c9b3ac2f9701cb0a75e624
SHA5124452dafceba43ac48e55d3d0ec7fdcaf426d11e7239c713a32ca5f62ab1fd4fe9c46933715b3ce7967ce5adcfb4b2fa720afaa97c46966783f5364eb449c8f23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ba5a5bdbe595026dd5396c23ceba558c
SHA17ac3ab0b17ee70862202606dda6cb9c63bff8b86
SHA2561fc31e0b2fab2566e19aff27523df6030322d3881f5f4c136c4fb03f65ab87ef
SHA512b8daaa1a7793acf0dd0d7f1bd5064601c189a933caa3a56f7ac95ba606b1a76fccff6f7841e5094e277360c28a043e3c35817aba2b69f68fbf489cd36d8bc790
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD513d5cbf3896fe6f6212044fc2b8aff4a
SHA10db158b3a52f0cadf869cf56ef340b6e56f41b89
SHA256fa1f07c76821a1fe46ab2829fac0390bac4704c3869a8f8c853f3ac7e0db5c14
SHA512b3fb650e872cc92847954472d5a690dd3dc4ee4f7e2bcf612f2a0831d1d1c8507d9f95d23d58b6ef8dea88356e6ec6f63fcc2b946ea5b85fbd387b7cc1633943
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b4f26856dcd71dc7f175dccbe0ba638a
SHA1f672d4ff417b978b8cc51be0cd1792445c1cb6ab
SHA25681c4649586bd797165706e56075b54e9efa65f1499db0ef09f639ea556f0c8e2
SHA512c71f231bbf900c995e5493e3f3759c4d98f20ff513aec81bf8d985e5b5d44a67538085b1d92c1ec6b74472ceee244f5373d26b92875f69d292e3abe074dfc172
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5eb7ffe4ad0ff684f658b4d1365bad32a
SHA1177a904bc764e2674a463033c4d8f9a9c2bebeef
SHA256d6ffed37c6fd558de363b92e051080b309db93f88c17617f72d0e0390cf93499
SHA512b69aa77e2f15ba768e639774f5026d5ee0b65e7a521eeaaa56dba64ae025e3b7b0906574f929b1692c7c104b3af707f8718620946786b4de2177b73a9be62dfd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD534a44a2510be7f0617460e9cae41a848
SHA15347054a473dab51967c2816bb374a4defd90f0a
SHA256748381b254cc9fa3b1b7d35bdc1f2892d5aa811b6e0d36256b61dd82bfdc1ccd
SHA51284c661cf0633db4b2f160e120f167eba5a31ee2f11c44932f291b0d3cca4747660dc6467989688e6ebecbba8af4d8c62ecd0c984639ef702d474c9d896a738eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cbb8ab214be3a95b012d550444f2d7c5
SHA110a0369229bef90cf3717d1a4305ae9fd41c3733
SHA256dc4ef911095a831939730d20ea861119604f90c13772f46e4ea546eeb6b228b1
SHA51243362b9506abdbd108fe2a2bdf9a611a486fd36b75cac06edd014f976cc14fc468c27140eaaada1f29a500662b8bbb0f51d2d9ed7c0e1d4df6c6e398f9a42a5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a564c60a839784b6ff1e4a8c5a32f2e5
SHA1d1e8ae1777f59f6d182c96c08ded529bfa9c2f2d
SHA25604641d80eb9e44678c96e683f7d3c1749f6b972ce4c7433160c99a8ff1d4fead
SHA512ed8ccfd3366e56e6033f1c405ba18c6ce5cc20dbd53cc8f86a96031d838da12bc323dc23f31e0b4439ac3d59dc4e6466dba263b257831c0fc3a6b3ff00f43c88
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63