Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
13/03/2024, 23:28
General
-
Target
c71e4e7e88a658c637e6200746dec3da.exe
-
Size
20KB
-
MD5
c71e4e7e88a658c637e6200746dec3da
-
SHA1
086b704065365d7e617ab09d39f72eceae48d02f
-
SHA256
876ca2d3195a2bec847d41b0033115fbaab8c057d67596897db78eaed1297188
-
SHA512
f40fa7a999df65760c5e88a585df52413b37e2c85fadc22b71ef7d1905ea7c7964912f93356886ad3b32154e017e8ccc2fcc2c87369bd9b09b1dff46069a39e1
-
SSDEEP
384:4l8q7E2vDsnwe6qyGPHK7pgymJu7UzFI1PuwNC7GjIP51:4Wq7E2FnqZWgTr+Gw1cD
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c71e4e7e88a658c637e6200746dec3da.exe"C:\Users\Admin\AppData\Local\Temp\c71e4e7e88a658c637e6200746dec3da.exe"1⤵
- Sets file execution options in registry
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net stop McShield2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop McShield3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KWhatchsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop KWhatchsvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KWhatchsvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KPfwSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop KPfwSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KPfwSvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop DefWatch2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DefWatch3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KWhatchsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop KWhatchsvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KWhatchsvc4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "McAfee McShield"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "McAfee McShield"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "McAfee McShield"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop DefWatch2⤵
-
C:\Windows\SysWOW64\net.exenet stop DefWatch3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Symantec AntiVirus Client"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "Symantec AntiVirus Client"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Client"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Symantec AntiVirus"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "Symantec AntiVirus"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Symantec AntiVirus Definition Watcher"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "Symantec AntiVirus Definition Watcher"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Definition Watcher"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "McAfee Framework ·þÎñ"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "McAfee Framework ·þÎñ"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Norton AntiVirus Server"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "Norton AntiVirus Server"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Norton AntiVirus Server"4⤵
-
-
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f2⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f2⤵
-
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD543a741a56d6407be6c4190a29c26b39b
SHA1fd4f5a3732fa9c9426428d8100812cd33ffb4e03
SHA256a094953255a5f2815a96bfddf420056e42abead85111df8362adb1de83d81dc3
SHA5125b75cb17a44f14eacf6ccc10fc455a4945872a152aecb5f1ea30b0bead88501e41711103d8f64e9a455ca02fe2281fc1771efc09fb025bd3d0884975c79fd5da
-
Filesize
344B
MD50de92a0512f6f9c1d301187d46f54a22
SHA16ac030e17247f9f472e5b25f79e76aa8a133c8db
SHA2565b30ac15fe86302d3b943057513d0631c5b2f40be93dc8e01dbae903ebff3490
SHA51276865d0994f32a270f7f66bdf6399487e4c152c8bf0be0d8ecaecf17961ca9f5834da05f1b70b0c8e83d589d1dff6c62cd4d07a5df31e8dd195ecb675256891e
-
Filesize
344B
MD5f17384cfe0153fda8109bd0ad0643108
SHA1c8efd8281446501b5b4015902d55493e528f2bf5
SHA256e634f575629485f724d4e08ffcc2c4fa13ac0b211ad18da2b61603ce405ae462
SHA512e830c01b033ebd45c5f659f24a724d43a508adccd2389d23870a43eceeed25a437e1b11cdb1c0600ad10eaf9c11c7d152ca22994a3ecdb993b7f1064aab123cd
-
Filesize
344B
MD58bba0929a7e2d8bf00660023ed242915
SHA16258c13b007abe8fb5af7e8c498003c32122247a
SHA2568c4d49afedfb432570fce23d74a1bd6621e0fb6096d0476dbb0ae6cc89200dfb
SHA512dad501b1d857eb9d6e5b2f2e1527769ae2c1a37e5e1358220282434428aae6b64def04d92f5ed88fde076cb83ad8c2ce5a98e98d54989602d90deb4aa7a73b4e
-
Filesize
344B
MD5c65c5fa24ed513eb8145637c368db0c4
SHA1e8a7178058bb35a6345674e4d2c60a2f9f997f7b
SHA2565a2bf17e8e9786ce88b52aba5a9bb80d0476faad5f4fd6fa6763e5efbbf47825
SHA512e39767536bf651b0f851d28dd2c77f24a8183636705d75cf1d3ba9b27e1da8829b77e2a84d6318e33ec6c4db629bf238fc8486f2eaa7bfa2008cbbabd1ca86a0
-
Filesize
344B
MD58ed63e5a40b16ca62ee19fdd09ef0226
SHA10a2b3190b14c72e58698c48e37a6e902ad645e95
SHA2561d56e716f1887f090048ce4f33bc5301abda236962b6a2772f66fb2a9d715571
SHA5121152e921ed16a7835e5c5acf1611055808262849b1f598494a0df68f40427ceb5f9737724c788177d63037b7764ccf4f7d29a535b0154e2f935f7b268d9f5387
-
Filesize
344B
MD5594017c574a8d8c6cf79602c8d3ab67f
SHA1e7d96745bb5a04c644a1a353bca836d58ee9157f
SHA25688c309ce2cb607b6aacf6b121bbecf278f13508fec57dba7e5af94129ee01ddf
SHA51239b1001dddef09da48c181128b057c5b26ff128cdf70ec42760419d36303ed68458121addcc13ddd3142cc2095917009061b8920ee9a60587120783f9cba32b8
-
Filesize
344B
MD553006ebf743ece83239c5d54ef0bf854
SHA1210e8975c6dc9d13eaf1605eaa322d60d661cce4
SHA256da7eef3359055d5eda8a7d49fe8cff3f4c4549690b44df931e8da62ecd6706f8
SHA512a6b8c3027e37906fc1404f0d1ba55edf1f9b2b1f3534a53ae49f5270656f644aae17d5be15632801d92dd6cd2c25b23dcbd83c3b5b1ca5ccc9dc7c46ddccdce9
-
Filesize
344B
MD592aa83ebaed57c6993c24726f6a6cdfe
SHA1866acb9f315dce5e06025dda2b91d654d5d261f5
SHA256e38c0e14ea0783531cd359028af5c41e394976d48633d2fb8e614b9bd4ae8d3d
SHA5124d1911ef7c17f743ecff090af65e85e5235acdb764e1fff4f51e9720c0ba97ce8478008a07696a367a9d29fcb168b210419bbcf38fa81884dc76aa84d27eea6c
-
Filesize
344B
MD5af6e556b2ced0e239e9f79163afd8d93
SHA114f0c2ad5f2717a00eff0f4b1d77e7f6a2962961
SHA256d87727c84df78de8b1be7ea8e7e7227289e11c14ae837300dea7b96a658236d3
SHA512d39a067b8e11e09621ad1165915dea19ab002534791a7f3fba8c2d7a1710375c02a2e24059f3eda83f826c3fede0597d1731cf220a815f8ea995f1eb2b9a61a6
-
Filesize
344B
MD5099318989fc9fbc5406563ae5803b280
SHA1a5b054580fe98900f6a6a58fd459da6351f8ac2b
SHA2568f4f3183ca01b7b88fbe882a30a2184b5aac8b5c56a8e339212f482da5604222
SHA5120e05d7df5be04b56925864327afb8e28a3d577a03ce2c028cd3abfdd2cd75c689b2d56d8c16ed76841966c3abfa7b3d40fe5af09dfd92803c843c9e281290457
-
Filesize
344B
MD5178ab7929ad9acb32ba3369d3cc5787f
SHA173f3d2e67e75614a4611c93bf61d011cb527943b
SHA25691c05e16831e8433f702f47fcaf924b68ffbb58b6adafe5d9e09d4674d1e09c2
SHA51221e684c549de03367867b302c5b0497c4523be5226337ca4337f249952c4d3871f560be12608442fac9e24629533984bed401b9678ae4c2367db463bdebcc9c5
-
Filesize
344B
MD5768d97927538a1271c6933cfa4527cfd
SHA130f5d95d9b871e2a8bd7ce8073916274407273bb
SHA256d6993f83f6d349b8390ffd929be75e4e14e534b0fdc594381c5cf7933fa3e6d7
SHA5129f2e9c2b9a71d8e5996cc7a675616c1ca8eb662bf5bb1e4e97a6caa5f74d36426ba94dafeb6eef575b68f468509df9499cc3951f6cd08553cb4fc042defde681
-
Filesize
344B
MD5ccae8f06361636c7cb7b77ec85e7d13c
SHA15a6527dec3efff227175de164087686a4f6c2c7b
SHA25624b34082a15beb2b7d6206e14b882555455d9c1dff275b4e08d3ae955f06197e
SHA512e5c887b6c0c2f214c39e2e555ca70168913f987cf4e611e75f15479195259ab81dc3f41fc6b413762836d8bc8a62d1ac2a4a6b0b45a560cbece29f22a1d71d87
-
Filesize
344B
MD5e52774a455aa81649dd9ccccb19a1244
SHA13cf30b2a46d26cb176c0a5ff9357c24adb403420
SHA2569ca3ac113b88097b7f0760d168744eaa0f97441c3d15f3f5e03eeadde01e78ad
SHA5129c96957a4f646c867ee3af8b5177565ffa018e0c40f90c412c5757183e2be2b4c1d412b31065dd01e1fe94ccf72e62f8702aaffa84be188d87955f5a4237886a
-
Filesize
344B
MD5b2664ac7259d0711b26c2a847d72952c
SHA104fcb0c886b6d2abaa5a656bb59913f313dc9e7e
SHA256e05dc18cf32eb39d42d2fc3ecc99a0fa31f7232c5727584de2b414393b8c8c11
SHA5123dc3da28e4e22ec2a0b6e78cc9d471f9192d47892a75611c8c00ff8132322f4672cac8dbd2dc829b77dc7525af305c27c1c1da872a0265b65d50c56f19d9a912
-
Filesize
344B
MD5d7ed64cf04c26376a7ba1bfd08349a08
SHA1ad753c4a90a5262dfdee15ce0c3c33370e73ec2a
SHA2569c857c1d44c85d636fdfc816aba2a05fa42dea833efa2be01cd3f8469e31404b
SHA5121eb7602ee174fbff6b80d1bf3895f9248a8f2e421fab7406114833eac7bb708babb5daa7a1a210ffe7b6694a42b776c977403820c80d5faaf95f26e0291c4aff
-
Filesize
344B
MD5b694ac3a39816afc5f92cf0d50511747
SHA1268e3200386496d4c07da860177efbe2356d45cf
SHA25611e5766d2d57ebf1e6ec59e92aa0b852af1e5201452a4221cbf4e82ff5674a3b
SHA5129431ee9c990fa4dbce759932f27e78f9f2de936aedf9ea4219f9fb9e6ff9de1d2c65ebe4a09e53efac93018728eca47ba6ede449b9bb3af54e1caaf8cdaa769f
-
Filesize
344B
MD5a98733ae5e95d1e7cb26cd24092c5fce
SHA111f2edde3dbae22dc8ff23e6297a03e427ac38c7
SHA256c3c56a96bf7024c703315c4af2a8b05f7d9dc3082a2e246077c8aff8164ef7d9
SHA5129cedf695953db80b27c54a34ed18c80cc11db27ceda5d1788a0ebd37cd1054602695132371e423eaea755416b6700c6b45c8da8fb60969887e58c9416fe2e39b
-
Filesize
344B
MD5be8ba35d96f27c70996de13df1332d92
SHA1b4afa101ac40e43963b91169b8c5044992f8cef6
SHA256de58e9f0c42bfc797f5d9298d474df5313deeb92e2c882958dad85cf7eebdbd3
SHA5120a635d852af83b1013d695db1ef3064b756854e0f9291a82ddb1794870bf684b4acd1196ba615261d4cd55b969a7571e385c58a4e320126cf6e9566d37cf0af1
-
Filesize
344B
MD5be362fd4b8b06cc8f018a5f0b83b85ea
SHA137a5f5ad32996348788244cab720be854dd53703
SHA25621dfd906e2050555845e349e0755bdb4a827e2e9c4fd26bfefd495fab627b6a3
SHA512c345395db7259d89a72216ac321a6467879382cbf605de0c33a7462d1e043cc25a2e6a699b364efc975e036c4c8ea360c927514a05d65e89a7cb2a8e7369e2c3
-
Filesize
344B
MD5a02e6d67c7458381c6e7ae8ce55d9120
SHA1444032208edd225ed1818a521dcd1d5546675246
SHA256f8daa25f4615ffab00c4277c89c243f95cc8d8da9737a8043be807744537480b
SHA512a3a9c48af70fd6d1ae2ac8c1e684608407a5b1523b6af721bc13c8400125394c9ac7963c3fb8a71e6d054c002945f1f54c377711301c321ddd6a66db92628e73
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
20KB
MD5c71e4e7e88a658c637e6200746dec3da
SHA1086b704065365d7e617ab09d39f72eceae48d02f
SHA256876ca2d3195a2bec847d41b0033115fbaab8c057d67596897db78eaed1297188
SHA512f40fa7a999df65760c5e88a585df52413b37e2c85fadc22b71ef7d1905ea7c7964912f93356886ad3b32154e017e8ccc2fcc2c87369bd9b09b1dff46069a39e1
-
Filesize
100KB
-
Filesize
100KB