Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/03/2024, 14:37
Static task
static1
Behavioral task
behavioral1
Sample
b8f7f1c3cb54dd98956cfade0d5b02a6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b8f7f1c3cb54dd98956cfade0d5b02a6.exe
Resource
win10v2004-20240226-en
General
-
Target
b8f7f1c3cb54dd98956cfade0d5b02a6.exe
-
Size
336KB
-
MD5
b8f7f1c3cb54dd98956cfade0d5b02a6
-
SHA1
802cedcb7f89c6df1dc1bd36ace24c66474cd0ab
-
SHA256
26a771ec1b7159b3009984f59822620ba5bcd2a675e290a1334ff3a2536ae5ea
-
SHA512
2f9f862f39bb8a1cf87f44a848bb2e8b12f56215643e3643b6e08278023c9195356dd030f2ddbb304149887958925e5b1fb8d0f2a8ff51dd2b0ee8f84d14b0ae
-
SSDEEP
6144:ENr04w8GJEotOrtacrFhqxvtiIZTYix3BuYBIbgmOTd3w:ENr04rnrtacrnnOTYi3B+gmO53
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\2625e5f1\\X" Explorer.EXE -
Executes dropped EXE 2 IoCs
pid Process 336 csrss.exe 2584 X -
Loads dropped DLL 2 IoCs
pid Process 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\cid = "2277752000419043815" b8f7f1c3cb54dd98956cfade0d5b02a6.exe Key created \registry\machine\Software\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160} b8f7f1c3cb54dd98956cfade0d5b02a6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{dfd5ee24-b847-1606-39c8-75afaa2de160}\u = "40" b8f7f1c3cb54dd98956cfade0d5b02a6.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe 2584 X -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe Token: SeDebugPrivilege 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 336 csrss.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1936 wrote to memory of 336 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe 2 PID 1936 wrote to memory of 2584 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe 28 PID 1936 wrote to memory of 2584 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe 28 PID 1936 wrote to memory of 2584 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe 28 PID 1936 wrote to memory of 2584 1936 b8f7f1c3cb54dd98956cfade0d5b02a6.exe 28 PID 2584 wrote to memory of 1208 2584 X 21 PID 336 wrote to memory of 2920 336 csrss.exe 29 PID 336 wrote to memory of 2920 336 csrss.exe 29 PID 336 wrote to memory of 2936 336 csrss.exe 30 PID 336 wrote to memory of 2936 336 csrss.exe 30
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\b8f7f1c3cb54dd98956cfade0d5b02a6.exe"C:\Users\Admin\AppData\Local\Temp\b8f7f1c3cb54dd98956cfade0d5b02a6.exe"2⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\2625e5f1\X193.105.154.210:803⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584
-
-
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:2920
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:2936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5b3d2b259ab16b0e26c02f2faa9453238
SHA13aa2631f79a01143caa52936ce5fe5b942387e78
SHA256905614fb30f9b84b2a81fa770b87350c1b7bc21b23ff775154fbd973505b8675
SHA512209161e67f4874e2253e4fcb7aaaef57526781a06ecf7966c33d0f6db2ec8fc97e3b5ce3b1027ad5ed9ac400ce35a8d5fbac2d17b9327f64c33fb63dabb8562d
-
Filesize
31KB
MD5dafc4a53954b76c5db1d857e955f3805
SHA1a18fa0d38c6656b4398953e77e87eec3b0209ef3
SHA256c6c82dde145a2dd9d70b1b539b17571befb663fc4a9ca834ff2a140cc4ebaa0b
SHA512745e27a4f952e2492dbd12ced396be2c7dc78344ba415ad64b45920f95d7a282e30c7ad2da9266dc195c71e38019809e8183a705f9276c7d178de2f5ef34b633
-
Filesize
41KB
MD5686b479b0ee164cf1744a8be359ebb7d
SHA18615e8f967276a85110b198d575982a958581a07
SHA256fcfbb4c648649f4825b66504b261f912227ba32cbaabcadf4689020a83fb201b
SHA5127ed8022e2b09f232150b77fc3a25269365b624f19f0b50c46a4fdf744eeb23294c09c051452c4c9dbb34a274f1a0bfc54b3ff1987ec16ae2e54848e22a97ed64
-
Filesize
2KB
MD5444293e3ecd966dccc65b9d89dbf1e6d
SHA1d7bfb6ad8d44954b490997a971d79dfbd62c743a
SHA2567a833f9c8582485bf923ad56f4419cc302dd6a3845594f23efb068cc2e157488
SHA5121ae95d0dfcf6d79db7a4a81654538dfb99dbe9e88b75e2eaa2d9a662098abfaa95fe06557ba388d3bbecb9a5a0cdc15d035fdf9c2cb49b3233440e98552551c9