Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 00:37
Static task
static1
Behavioral task
behavioral1
Sample
b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
Resource
win10v2004-20240226-en
General
-
Target
b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
-
Size
206KB
-
MD5
cc46def2c67d319aec841722dff26c03
-
SHA1
dcc8f27c4fd27152172ff2bedba3ea5c552248a9
-
SHA256
b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f
-
SHA512
a4e08a42cdf1570c4ac16c890bb9c6272b48f0f10126dc566aa715d7400c71e975adc7b5447afa51f1dcd47a6781b3962c56cc80e587ef90c481b5f95a311b03
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJds:/VqoCl/YgjxEufVU0TbTyDDalbs
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2028 explorer.exe 2640 spoolsv.exe 2128 svchost.exe 2544 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2028 explorer.exe 2028 explorer.exe 2640 spoolsv.exe 2640 spoolsv.exe 2128 svchost.exe 2128 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2428 schtasks.exe 528 schtasks.exe 1612 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2128 svchost.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2028 explorer.exe 2128 svchost.exe 2128 svchost.exe 2028 explorer.exe 2128 svchost.exe 2028 explorer.exe 2128 svchost.exe 2028 explorer.exe 2128 svchost.exe 2128 svchost.exe 2028 explorer.exe 2028 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2028 explorer.exe 2128 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 2028 explorer.exe 2028 explorer.exe 2640 spoolsv.exe 2640 spoolsv.exe 2128 svchost.exe 2128 svchost.exe 2544 spoolsv.exe 2544 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2028 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 28 PID 2980 wrote to memory of 2028 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 28 PID 2980 wrote to memory of 2028 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 28 PID 2980 wrote to memory of 2028 2980 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 28 PID 2028 wrote to memory of 2640 2028 explorer.exe 29 PID 2028 wrote to memory of 2640 2028 explorer.exe 29 PID 2028 wrote to memory of 2640 2028 explorer.exe 29 PID 2028 wrote to memory of 2640 2028 explorer.exe 29 PID 2640 wrote to memory of 2128 2640 spoolsv.exe 30 PID 2640 wrote to memory of 2128 2640 spoolsv.exe 30 PID 2640 wrote to memory of 2128 2640 spoolsv.exe 30 PID 2640 wrote to memory of 2128 2640 spoolsv.exe 30 PID 2128 wrote to memory of 2544 2128 svchost.exe 31 PID 2128 wrote to memory of 2544 2128 svchost.exe 31 PID 2128 wrote to memory of 2544 2128 svchost.exe 31 PID 2128 wrote to memory of 2544 2128 svchost.exe 31 PID 2028 wrote to memory of 2592 2028 explorer.exe 32 PID 2028 wrote to memory of 2592 2028 explorer.exe 32 PID 2028 wrote to memory of 2592 2028 explorer.exe 32 PID 2028 wrote to memory of 2592 2028 explorer.exe 32 PID 2128 wrote to memory of 2428 2128 svchost.exe 33 PID 2128 wrote to memory of 2428 2128 svchost.exe 33 PID 2128 wrote to memory of 2428 2128 svchost.exe 33 PID 2128 wrote to memory of 2428 2128 svchost.exe 33 PID 2128 wrote to memory of 528 2128 svchost.exe 38 PID 2128 wrote to memory of 528 2128 svchost.exe 38 PID 2128 wrote to memory of 528 2128 svchost.exe 38 PID 2128 wrote to memory of 528 2128 svchost.exe 38 PID 2128 wrote to memory of 1612 2128 svchost.exe 40 PID 2128 wrote to memory of 1612 2128 svchost.exe 40 PID 2128 wrote to memory of 1612 2128 svchost.exe 40 PID 2128 wrote to memory of 1612 2128 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe"C:\Users\Admin\AppData\Local\Temp\b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:39 /f5⤵
- Creates scheduled task(s)
PID:2428
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:40 /f5⤵
- Creates scheduled task(s)
PID:528
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:41 /f5⤵
- Creates scheduled task(s)
PID:1612
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2592
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD54b5948abaf6ef3420da5e2e4d1bdb1fe
SHA1807d4e5f21d9cc64a7a7408a9465c7ab2a3bf238
SHA25611f023dc8b535ba8813672496f6f7f84c2ed964a732cfbb05e7c1404840d8854
SHA5127b6022d152964f42fb49836c7b75ee72701310d5c756458f9a406cdbe54fbb6441f78e0587bb6c640765c33bb8ebe324dc20a8bb28b4b690c3e4b60f889ad76b
-
Filesize
206KB
MD53c27ebf2245937907356cef32cc7e796
SHA1c6bf619a43ac6d4fc67957bf6c275807b170cd2f
SHA256f177999da38b579b2f8031de26c56477a704f54fa9d00f2135a5cd60561dba04
SHA512f3a2ed48f2b0bf95f42bc42ef914fc45ccd03f0cf1c7b056ee7775a72862d204470c0f20ebc17d1c594489978c31d5b9715cd70a73cf2490720ec0c27f0eddcd
-
Filesize
206KB
MD5c19f83ebdb95db941731a759a1fd1de3
SHA1f38cf9e0bee79ad6fe6a4137efb7833315022326
SHA2569cced17b406a08b4237c54151b6eb937abc62e61a7004920b7c752fd73ef28eb
SHA5120b79a71217da2a662096002d885a29ea49d6a85717731b13be6eca57c88f4caf9e93e368315875eb17007e018b816bd80b4fdcf319e3bafbfa7fe80246e5642c