Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 03:36
Static task
static1
Behavioral task
behavioral1
Sample
ca62040f61d63d23a522a476ee8aeeec.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ca62040f61d63d23a522a476ee8aeeec.exe
Resource
win10v2004-20240226-en
General
-
Target
ca62040f61d63d23a522a476ee8aeeec.exe
-
Size
171KB
-
MD5
ca62040f61d63d23a522a476ee8aeeec
-
SHA1
462fce2be4bbead0a77fe064a483d50783ceaafe
-
SHA256
73df551a2f02724c553c34b0d5ee63774b12378f1aaa4f440efd05ec23af3c73
-
SHA512
1658a43316d5174092292ed75a0a087778b2b1ec1ac176bec4a2fea977e8bfe59c0c12079e9354dadc5479c9506df43e6bafdc35c0701cb2eee8ef09a7e4d48c
-
SSDEEP
3072:oPhrcIwCBrYtZSb5XNGyyrTcmsyMoecjIDKZg1CCx5R3T6d1Pt:CrcEVrb4Pc4IDKeCE51m
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 276 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1640 wiby.exe -
Loads dropped DLL 2 IoCs
pid Process 2728 ca62040f61d63d23a522a476ee8aeeec.exe 2728 ca62040f61d63d23a522a476ee8aeeec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\{79D9EA0F-1BC0-039F-FCF8-F124D5736F69} = "C:\\Users\\Admin\\AppData\\Roaming\\Atimh\\wiby.exe" wiby.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2728 set thread context of 276 2728 ca62040f61d63d23a522a476ee8aeeec.exe 29 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Privacy ca62040f61d63d23a522a476ee8aeeec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" ca62040f61d63d23a522a476ee8aeeec.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe 1640 wiby.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 2728 ca62040f61d63d23a522a476ee8aeeec.exe Token: SeSecurityPrivilege 2728 ca62040f61d63d23a522a476ee8aeeec.exe Token: SeSecurityPrivilege 2728 ca62040f61d63d23a522a476ee8aeeec.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2728 wrote to memory of 1640 2728 ca62040f61d63d23a522a476ee8aeeec.exe 28 PID 2728 wrote to memory of 1640 2728 ca62040f61d63d23a522a476ee8aeeec.exe 28 PID 2728 wrote to memory of 1640 2728 ca62040f61d63d23a522a476ee8aeeec.exe 28 PID 2728 wrote to memory of 1640 2728 ca62040f61d63d23a522a476ee8aeeec.exe 28 PID 1640 wrote to memory of 1096 1640 wiby.exe 19 PID 1640 wrote to memory of 1096 1640 wiby.exe 19 PID 1640 wrote to memory of 1096 1640 wiby.exe 19 PID 1640 wrote to memory of 1096 1640 wiby.exe 19 PID 1640 wrote to memory of 1096 1640 wiby.exe 19 PID 1640 wrote to memory of 1172 1640 wiby.exe 20 PID 1640 wrote to memory of 1172 1640 wiby.exe 20 PID 1640 wrote to memory of 1172 1640 wiby.exe 20 PID 1640 wrote to memory of 1172 1640 wiby.exe 20 PID 1640 wrote to memory of 1172 1640 wiby.exe 20 PID 1640 wrote to memory of 1208 1640 wiby.exe 21 PID 1640 wrote to memory of 1208 1640 wiby.exe 21 PID 1640 wrote to memory of 1208 1640 wiby.exe 21 PID 1640 wrote to memory of 1208 1640 wiby.exe 21 PID 1640 wrote to memory of 1208 1640 wiby.exe 21 PID 1640 wrote to memory of 1968 1640 wiby.exe 23 PID 1640 wrote to memory of 1968 1640 wiby.exe 23 PID 1640 wrote to memory of 1968 1640 wiby.exe 23 PID 1640 wrote to memory of 1968 1640 wiby.exe 23 PID 1640 wrote to memory of 1968 1640 wiby.exe 23 PID 1640 wrote to memory of 2728 1640 wiby.exe 27 PID 1640 wrote to memory of 2728 1640 wiby.exe 27 PID 1640 wrote to memory of 2728 1640 wiby.exe 27 PID 1640 wrote to memory of 2728 1640 wiby.exe 27 PID 1640 wrote to memory of 2728 1640 wiby.exe 27 PID 2728 wrote to memory of 276 2728 ca62040f61d63d23a522a476ee8aeeec.exe 29 PID 2728 wrote to memory of 276 2728 ca62040f61d63d23a522a476ee8aeeec.exe 29 PID 2728 wrote to memory of 276 2728 ca62040f61d63d23a522a476ee8aeeec.exe 29 PID 2728 wrote to memory of 276 2728 ca62040f61d63d23a522a476ee8aeeec.exe 29 PID 2728 wrote to memory of 276 2728 ca62040f61d63d23a522a476ee8aeeec.exe 29 PID 2728 wrote to memory of 276 2728 ca62040f61d63d23a522a476ee8aeeec.exe 29 PID 2728 wrote to memory of 276 2728 ca62040f61d63d23a522a476ee8aeeec.exe 29 PID 2728 wrote to memory of 276 2728 ca62040f61d63d23a522a476ee8aeeec.exe 29 PID 2728 wrote to memory of 276 2728 ca62040f61d63d23a522a476ee8aeeec.exe 29 PID 1640 wrote to memory of 2136 1640 wiby.exe 31 PID 1640 wrote to memory of 2136 1640 wiby.exe 31 PID 1640 wrote to memory of 2136 1640 wiby.exe 31 PID 1640 wrote to memory of 2136 1640 wiby.exe 31 PID 1640 wrote to memory of 2136 1640 wiby.exe 31 PID 1640 wrote to memory of 2380 1640 wiby.exe 32 PID 1640 wrote to memory of 2380 1640 wiby.exe 32 PID 1640 wrote to memory of 2380 1640 wiby.exe 32 PID 1640 wrote to memory of 2380 1640 wiby.exe 32 PID 1640 wrote to memory of 2380 1640 wiby.exe 32
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1096
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\ca62040f61d63d23a522a476ee8aeeec.exe"C:\Users\Admin\AppData\Local\Temp\ca62040f61d63d23a522a476ee8aeeec.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Roaming\Atimh\wiby.exe"C:\Users\Admin\AppData\Roaming\Atimh\wiby.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7e52ec0b.bat"3⤵
- Deletes itself
PID:276
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1968
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2136
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243B
MD5983ba38133fb697e61af6ae4a212df4b
SHA1f1809c91de10390b6daf378ecdd64a234d794934
SHA25663426ae0d5fb8e297de7137fcf98ac5ba0530d5c639c72f5a494727f3e50407b
SHA512fc9c990d685bcd274b3ff1bf107e800409801d11fead3e2e47cb53ee503a732062736cf1514717f4895bf426f983abcc7060876b9e738054715f1c1f76806f08
-
Filesize
366B
MD53a1f0114d2dfe9d160cf6323c37236a9
SHA19ed1ef68651a3cb2cecd5a7a497b8a1700185462
SHA2560d3e306755766e49663155db1a619552493be8ac9d7a8d70924e410289b472d9
SHA512dc7f49e6314cda9900a95a328dc5cbcb7e1358d899104edadf42b3b1a1b248370863bdcf6bce3dae87a235cce8ed64f0b6303667ba086da7fc4a47819b950d0b
-
Filesize
171KB
MD592872f93cfc9438d6832e62569d31d14
SHA11e6ff7126f5e303d68334f1cdf2a56f8a58ed3c0
SHA25659f53e6996f6ade6a1a42285e41d01a81e9965e4f3d3c943c60540557c5b4fd7
SHA51203d6fc19cf332501cf42754d64c14d373e8527f5a1e457c082a37d147fc496413d6fd0909e7465d271661f39f4538601aad7ddf307636a06457283ac4da85e35