Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/03/2024, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe
Resource
win10v2004-20240226-en
General
-
Target
02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe
-
Size
833KB
-
MD5
012fc9ab793f339043fe88eb3e28996f
-
SHA1
ca2000d8fb282a8d8e24e2b7f079455341f5ac9a
-
SHA256
02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32
-
SHA512
8d5f7cd85ca6b18b3361360f6174be54e437cf61d420c60400a34ea972dbd9b6381280614f63a887e91552ba874a60a6209d6d388ab8ac2593034e45faf138eb
-
SSDEEP
24576:8wj7QpalR342ddHjXglpvvB2+R4QmX8T4:8wjMpal5d8lph2+Rlmx
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1444 HKFX20~1.EXE 2420 www.cmder.com.exe -
Loads dropped DLL 2 IoCs
pid Process 860 02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe 860 02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 HKFX20~1.EXE File opened for modification \??\PhysicalDrive0 www.cmder.com.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat www.cmder.com.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\www.cmder.com.exe HKFX20~1.EXE File opened for modification C:\Windows\www.cmder.com.exe HKFX20~1.EXE -
Modifies data under HKEY_USERS 28 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 www.cmder.com.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15\WpadDecisionReason = "1" www.cmder.com.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix www.cmder.com.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" www.cmder.com.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings www.cmder.com.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad www.cmder.com.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 www.cmder.com.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ www.cmder.com.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15 www.cmder.com.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" www.cmder.com.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 www.cmder.com.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 www.cmder.com.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C} www.cmder.com.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" www.cmder.com.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\WpadDecisionTime = f056100b4f72da01 www.cmder.com.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings www.cmder.com.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\WpadNetworkName = "Network 3" www.cmder.com.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15\WpadDecision = "0" www.cmder.com.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15\WpadDetectedUrl www.cmder.com.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\WpadDecisionTime = b0869dd94e72da01 www.cmder.com.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15\WpadDecisionTime = b0869dd94e72da01 www.cmder.com.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections www.cmder.com.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" www.cmder.com.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\22-1f-6b-5e-b8-15 www.cmder.com.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" www.cmder.com.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15\WpadDecisionTime = f056100b4f72da01 www.cmder.com.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\WpadDecisionReason = "1" www.cmder.com.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\WpadDecision = "0" www.cmder.com.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1444 HKFX20~1.EXE Token: SeDebugPrivilege 2420 www.cmder.com.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2420 www.cmder.com.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 860 wrote to memory of 1444 860 02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe 28 PID 860 wrote to memory of 1444 860 02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe 28 PID 860 wrote to memory of 1444 860 02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe 28 PID 860 wrote to memory of 1444 860 02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe 28 PID 2420 wrote to memory of 2032 2420 www.cmder.com.exe 30 PID 2420 wrote to memory of 2032 2420 www.cmder.com.exe 30 PID 2420 wrote to memory of 2032 2420 www.cmder.com.exe 30 PID 2420 wrote to memory of 2032 2420 www.cmder.com.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe"C:\Users\Admin\AppData\Local\Temp\02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\www.cmder.com.exeC:\Windows\www.cmder.com.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
468KB
MD573b138e63de1f1efb03859d334313bc8
SHA1778b926faf84ada04c3eac712e62fe69d804f1ce
SHA2569e72b0bebd1a70edb51637991714fe1557635fe302cc5e49c74abfadcf7799ec
SHA5123b18012a2d0800bd869b0890ea9341bfbe812a2535de7eb07917b1d771824ffd3c5966cbd2dd8bd8f6faef191f50280244ae2b5c8c24377122d848dcbc83d371