Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
06/03/2024, 07:34
General
-
Target
b6ddaedbe89ed3721a759d36b4458037.exe
-
Size
24KB
-
MD5
b6ddaedbe89ed3721a759d36b4458037
-
SHA1
1b9dc20b35fc43af5a9cb01d197604713cac5110
-
SHA256
8720e91f2f4c8b8c4d9e9163fedb50252920bed3fec48b23416c2236ac09659f
-
SHA512
52fbe3d11a23596bc09897ffeb74d333d8a7f17a863180642849073f9852b449e5763933451be89dfe67338694fc79582887891167cad524d2bc65245fc5ea06
-
SSDEEP
384:4l8q7E2vDsnwe6qyGPHK7pgymJu7UzFI1PuwNC7GjIP5jaTiJ6OSV:4Wq7E2FnqZWgTr+Gw1cZaTicO+
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6ddaedbe89ed3721a759d36b4458037.exe"C:\Users\Admin\AppData\Local\Temp\b6ddaedbe89ed3721a759d36b4458037.exe"1⤵
- Sets file execution options in registry
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net stop McShield2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop McShield3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KWhatchsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop KWhatchsvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KWhatchsvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KPfwSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop KPfwSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KPfwSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop DefWatch2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DefWatch3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KWhatchsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop KWhatchsvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KWhatchsvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "McAfee McShield"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "McAfee McShield"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "McAfee McShield"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop DefWatch2⤵
-
C:\Windows\SysWOW64\net.exenet stop DefWatch3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Symantec AntiVirus Client"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "Symantec AntiVirus Client"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Client"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Symantec AntiVirus"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "Symantec AntiVirus"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Symantec AntiVirus Definition Watcher"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "Symantec AntiVirus Definition Watcher"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Definition Watcher"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "McAfee Framework ·þÎñ"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "McAfee Framework ·þÎñ"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Norton AntiVirus Server"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "Norton AntiVirus Server"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Norton AntiVirus Server"4⤵
-
-
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f2⤵
-
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD543a741a56d6407be6c4190a29c26b39b
SHA1fd4f5a3732fa9c9426428d8100812cd33ffb4e03
SHA256a094953255a5f2815a96bfddf420056e42abead85111df8362adb1de83d81dc3
SHA5125b75cb17a44f14eacf6ccc10fc455a4945872a152aecb5f1ea30b0bead88501e41711103d8f64e9a455ca02fe2281fc1771efc09fb025bd3d0884975c79fd5da
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
344B
MD5e817e0c0a7a33086f5ba79f6d8fdc2c4
SHA12df7aa0f171b42ce8581375838d439c2d19e285d
SHA256e44f2fab7258203344e148c4600fc9e500276d3eb198c87505a5b5780b7c31b5
SHA51252ad4884053df89c6554a7d22c22990be191aa91006899c5babb7d25588225d0dabbec749473a6d0836c81d84a0f5dfece19e35d3e743b98b98abb710c398ce5
-
Filesize
344B
MD55c76f59088b384fe9e3ce4cac4ba0b75
SHA1e9842ca24a34e3acc3deb7c67491ee316a2c15f9
SHA2563c56fa9f19e05de60b71db51974ba8938c7066b6277d46fbe93d135bc625f82f
SHA512039d7e2ae569318b7bd0d077035cfe5e751ad1f49880f884434830907988a934e5e3ffcd994ebd9263508d5ef478bf637ec5336a22dc28cd0e9d6b882bac1523
-
Filesize
344B
MD5a4f25b6e58b0007dafabb8e95409cd2f
SHA14604898821493524b6fb5cb87520f328c6848c07
SHA256871cbb90f6e42e8e069635cab2699787c0c8937e1b53f0ed715676d3f9e0f650
SHA512d867013b05553eed96390b58e0c36092b969f7075e1d7c85a7dbde3ffe644df56e5c48d503743e801a24670c85825ff7e34af78c90e664cc8095fc3cf512b28d
-
Filesize
344B
MD58ae46e043f1658588b554dc77ccd14ea
SHA16d18c80a3ce81f9b890b58b80e11dc021fb8862b
SHA256c9083085649874d3c59e9cade82ccdcd281dad71532c34b9a8176429bb952943
SHA51236ea2db644b05493f0a5d164c12b63ef8afd8c06a18967da4708a6903c51d8609809d3d2f65e8eea5658c7a79d0fd3afca2602908f9d4535540bf4898deabd90
-
Filesize
344B
MD550bd215fc29f7bbda74bf48810ccf182
SHA111262d4bff9c2cf223ba996896d2958723867c45
SHA2566feff345707ea2221ca211f6a3cdd0a83a4765963c07daec7b1ac86ec805bdf3
SHA5120653225575d4493f9aebb4983b8e017d55e70161c8d11d56c8e584232a889ef3912a1cfa3608bdbb48214c96efc67f1b2ec600c6387fc2e3824184f63d7e4152
-
Filesize
344B
MD581f8fdeadaf93b3b73c8d44b040ceff7
SHA12a5bbf31845408cc8de08c14586b6c44783401fd
SHA25625ec6ce757cf9e02a9ec4314f85ef20625c15ecac0eca3ab2410fd308995bb45
SHA512d789e86bc85af8ab87309b67e1fb5b905db00cd3a9a84c52572354f2075115ce268eb1d594b0dfa6bc7e202cde2e609d1ac4594355aea8669acad6ebcc6e3e49
-
Filesize
344B
MD561347acc0504764910b114f6022b1430
SHA1395b579ec97309d0cbbec2b2d78e46ffc9f78a5b
SHA25612d92062145caf443e6168f75c60f5b6b280fa80898b7596531e7781d3a1e444
SHA512b5535ba36dfef7afc913ea421a6a7adc3cf6aff876d1dd0b936b589b7f1fce262280ede55023f2d94b096d599f20f1938c28333fbd5c1eeb180ddeddaf194a6b
-
Filesize
344B
MD5a63c47c3c988c3df027d89a90461f2d4
SHA140b3eccd84c427a0d2e060dfb89afae85bb65757
SHA256d9c3e437182409a9ee177ba6000ac07c0628915fd94c6a89304bbbba1f8c2583
SHA512f95e437a44ea85080db139648708f7ef2251048d8b049dc14b71f0c4c5736832bf5df356bac2bbc754f5a10cd646ab31d8e336efecb0f3f837d3b5935e62a1ab
-
Filesize
344B
MD547b02fd63a7db7de365114ba2fa4d77b
SHA151285c1e7fc405dc099f12f54edbd02ed7735224
SHA256ba5eb59755a0638427445cb4eb46a990373c3ffb8a63e57141f8d69d070aff23
SHA512a8839d8b9ce068ab41cd85f86d5df8ac624394ffb7e9b1d73a8329a1e8f4a5e1b48f38465975a79704dafafed855a0310c5fcdade3d3f9ae52409028035cb0da
-
Filesize
344B
MD5e8b57628c70eedabe9616f20e390cb6f
SHA162458b686241129cc985773402a09ae575944ad4
SHA2567cba7963e2f258cd2d17254f31472a372523753e63ab87093c665e35b262c2c5
SHA5124ddde4d51bd6e93b234c319769bd7569fcc950c34e0b83b2f5f9ad310ccf8433f2dee42b9ce14db57e412bb1476adfb4ee6e84b50fb9ece7488fc30dc106371f
-
Filesize
344B
MD5ead43192870252c897bc991856037963
SHA1b705f57efa59f67614f41c736dfd99c7177c2e7c
SHA256576252dd4c3780ae4435364868b59e1a6d4b1f49a0a4f33d3193253069fbf726
SHA51272caab81a0a2c5825c22f0587ffbc5fdb81bd610343dcefd8cd93ca4ea5bccce827465d5ba5a2af492459171c70ec33c30d8c73bb7ba34239fc2181c9b687515
-
Filesize
344B
MD5c259c92c7a20db99fa8df6c2fe553fce
SHA1c11e6bb27903811abd4d0cdc4dc2656b3b2b5338
SHA2566da7d1d97f7940e8c90dc3107beeb6062c5f10ed0a541b0872990fb1056b6ec8
SHA512847858fe54988059f59b5605706c1d49003241796003988f7495aabf5950c0ff7896c443543723ea61615ab1c4eed73da5872abfff173fa331e4d9d7e925a87b
-
Filesize
344B
MD59fc13433910ac068cafa7a078d10f45b
SHA1b25974549d3f88ce0bf06c0b9b3a0697d9e49e35
SHA256bc6fc701d8a9a8cde1da30faa3b57ffaacd47593690dc2a687f3e8704dd863ba
SHA51233542a28f9c5eb9408118627690a9f252c4c1099b4dec87e5be714c11af8b3963c1f0c86571916714b0401c10e72eaf45f969f7d0b907fa33fe28e988d966694
-
Filesize
344B
MD53b3b35d4a6d530db0878999557d47eea
SHA1cd06eebb68b5abed7c1d0b78cc9704f904bbbf2f
SHA2568c43740da8044da01f7dfe12d2d58533e9b396b85226ddbab7da9ae7dbb8c318
SHA5124a13f98c4be9cde0676a0cc1652796676784b5e140d6c7ec4ef73171276c288cbc646374a341ad6f3495d9a23d3e0a870fee9f693ea09ba7b0ef3cff195da394
-
Filesize
344B
MD500f2ecec2a0b7defd6b103f8111fcafa
SHA18a25d7498cd64bcf3c2381ada06008bab8136eac
SHA256043ec67747d630351b15c44d22bf0b80e6f902386514dd27d4ac6a76fcb057e3
SHA512d94370577edd774a4e2534d2d2aed1eb45dc99dd8cd72fd079301152a5306d2cafc71c40122c1ed4b1af1a9d658c3d3d7875ee158806dc95efda66497d13b20a
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
24KB
MD5b6ddaedbe89ed3721a759d36b4458037
SHA11b9dc20b35fc43af5a9cb01d197604713cac5110
SHA2568720e91f2f4c8b8c4d9e9163fedb50252920bed3fec48b23416c2236ac09659f
SHA51252fbe3d11a23596bc09897ffeb74d333d8a7f17a863180642849073f9852b449e5763933451be89dfe67338694fc79582887891167cad524d2bc65245fc5ea06
-
Filesize
256KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
256KB