Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
c7053bdef48425f6bd01b2a33aa63cab.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c7053bdef48425f6bd01b2a33aa63cab.exe
Resource
win10v2004-20240226-en
General
-
Target
c7053bdef48425f6bd01b2a33aa63cab.exe
-
Size
38KB
-
MD5
c7053bdef48425f6bd01b2a33aa63cab
-
SHA1
c5b73cdd845cbc94c127c67bb8d6eda75ece2d9c
-
SHA256
817d9a8b5805b7a06b488db7f43d42529b9814936ced55a66b15687b1c58e94e
-
SHA512
22bca871fb8ef4976152fab30ec9e79f607a02ec3ed251749ee7a792b6906e860c503f522bd56b40458e31efc3ee9f002a63d745e79eb6da67357da832e4c7dd
-
SSDEEP
768:cvCsiQNghYML057aeoaMxNTjQsVuZLmFL5FYNwGfowjuWKGz1:cvCQ4057hoaMxNHXVaLmLGAqjLp
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c7053bdef48425f6bd01b2a33aa63cab.exe -
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thunder5.exe c7053bdef48425f6bd01b2a33aa63cab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thunder5.exe\Debugger = "svchost.exe" c7053bdef48425f6bd01b2a33aa63cab.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\V: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\W: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\G: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\J: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\N: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\P: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\R: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\U: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\E: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\M: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\X: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\L: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\Q: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\K: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\O: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\S: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\Y: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\H: c7053bdef48425f6bd01b2a33aa63cab.exe File opened (read-only) \??\I: c7053bdef48425f6bd01b2a33aa63cab.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\1 c7053bdef48425f6bd01b2a33aa63cab.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe 2792 c7053bdef48425f6bd01b2a33aa63cab.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2792 c7053bdef48425f6bd01b2a33aa63cab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7053bdef48425f6bd01b2a33aa63cab.exe"C:\Users\Admin\AppData\Local\Temp\c7053bdef48425f6bd01b2a33aa63cab.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Sets file execution options in registry
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2