Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 07:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6d2bf02bfba362f806a998d313e54b6.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
b6d2bf02bfba362f806a998d313e54b6.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
b6d2bf02bfba362f806a998d313e54b6.exe
-
Size
40KB
-
MD5
b6d2bf02bfba362f806a998d313e54b6
-
SHA1
fb79ae88b809e07417891eb181ba9d15a781efe5
-
SHA256
7b97a7978fdd342c0f004b60643b22010c3f058dfd1de813acc983263704dacf
-
SHA512
10f96aa48ccde89f162b5c7655ef316abd3189acb27c0dda44b23369d981e759d94941408ebd78d2fd2b1dce67562be617b6b0def114f593024f7f747835e07e
-
SSDEEP
384:Ym7ZpAoh6RU6EUArk+D94CvorkM2oswl/3MgWK+:YifJ8t6rkUyhZ3RWT
Score
1/10
Malware Config
Signatures
-
Modifies registry class 29 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\DefaultIcon\ = "c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)\Command regedit.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\DefaultIcon regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\DefaultIcon\ = "c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" regedit.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\ = "????(&H)" regedit.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ShellFolder regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\Command\ = "\"c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.sogouliulanqi.com" regedit.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O) regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\ = "????(&H)" regedit.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\Command regedit.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R) regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" regedit.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\DefaultIcon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O) regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R) regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ShellFolder\Attributes = "10" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ShellFolder regedit.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521} regedit.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ = "Internet Explorer" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ = "Internet Explorer" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ShellFolder\Attributes = "10" regedit.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Wow6432Node regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2628 regedit.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1688 b6d2bf02bfba362f806a998d313e54b6.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1352 1688 b6d2bf02bfba362f806a998d313e54b6.exe 28 PID 1688 wrote to memory of 1352 1688 b6d2bf02bfba362f806a998d313e54b6.exe 28 PID 1688 wrote to memory of 1352 1688 b6d2bf02bfba362f806a998d313e54b6.exe 28 PID 1688 wrote to memory of 1352 1688 b6d2bf02bfba362f806a998d313e54b6.exe 28 PID 1352 wrote to memory of 2628 1352 cmd.exe 30 PID 1352 wrote to memory of 2628 1352 cmd.exe 30 PID 1352 wrote to memory of 2628 1352 cmd.exe 30 PID 1352 wrote to memory of 2628 1352 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6d2bf02bfba362f806a998d313e54b6.exe"C:\Users\Admin\AppData\Local\Temp\b6d2bf02bfba362f806a998d313e54b6.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\QQ.reg"2⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\regedit.exeregedit /s "C:\Users\Admin\AppData\Local\Temp\QQ.reg"3⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2628
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ddb7f26485d51c950458550a7df6d38c
SHA123acf9a2190654f3c173214b303342bb84b838a7
SHA2566eb77ad035d63f5f90799ae9fbd351280cc315db6a0e6237db786a686c7464d2
SHA512e207e0e54c23d3f019daea858062af7c898b3df65622855b2d36d865e073afbde5c7d539cd428c671c70ca0881bb0dcc3c5d3be6ceffb4e84b124e8aa59b9ffd