Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 12:39
Static task
static1
Behavioral task
behavioral1
Sample
cb6e7a008d3fcb2527e84356399e8ca7.exe
Resource
win7-20240221-en
General
-
Target
cb6e7a008d3fcb2527e84356399e8ca7.exe
-
Size
282KB
-
MD5
cb6e7a008d3fcb2527e84356399e8ca7
-
SHA1
74110cfdacb330884c68b1f704883167b26f96a3
-
SHA256
8870fa9991ddb431424378c780ef391c2d4dc32c1b3bb377b03f6eb5f47447a9
-
SHA512
e6c90afd52a1779dd1996a69c81dcba7d03aee3153a4aea412d6ed63b5330456767462ff24d75ff68bc3157b9e05b306ce06cdb99ef4f53909b1ca7139c5c894
-
SSDEEP
6144:crPrsEYF57R69Um+nEY0kqk4PXzCPamiHtRNCI6X:2sXF9R6ym+skK07mKX
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" cb6e7a008d3fcb2527e84356399e8ca7.exe -
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2744 F3D1.tmp -
Loads dropped DLL 2 IoCs
pid Process 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2212-1-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2212-3-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2608-13-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2212-15-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2212-105-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/3016-109-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2212-111-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2608-191-0x0000000001C70000-0x0000000001D70000-memory.dmp upx behavioral1/memory/2212-193-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2212-195-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\91E.exe = "C:\\Program Files (x86)\\LP\\C448\\91E.exe" cb6e7a008d3fcb2527e84356399e8ca7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\C448\91E.exe cb6e7a008d3fcb2527e84356399e8ca7.exe File opened for modification C:\Program Files (x86)\LP\C448\F3D1.tmp cb6e7a008d3fcb2527e84356399e8ca7.exe File opened for modification C:\Program Files (x86)\LP\C448\91E.exe cb6e7a008d3fcb2527e84356399e8ca7.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1248 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeSecurityPrivilege 2708 msiexec.exe Token: SeShutdownPrivilege 1248 explorer.exe Token: SeShutdownPrivilege 1248 explorer.exe Token: SeShutdownPrivilege 1248 explorer.exe Token: SeShutdownPrivilege 1248 explorer.exe Token: SeShutdownPrivilege 1248 explorer.exe Token: SeShutdownPrivilege 1248 explorer.exe Token: SeShutdownPrivilege 1248 explorer.exe Token: SeShutdownPrivilege 1248 explorer.exe Token: SeShutdownPrivilege 1248 explorer.exe Token: SeShutdownPrivilege 1248 explorer.exe Token: SeShutdownPrivilege 1248 explorer.exe Token: SeShutdownPrivilege 1248 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2608 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 30 PID 2212 wrote to memory of 2608 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 30 PID 2212 wrote to memory of 2608 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 30 PID 2212 wrote to memory of 2608 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 30 PID 2212 wrote to memory of 3016 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 32 PID 2212 wrote to memory of 3016 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 32 PID 2212 wrote to memory of 3016 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 32 PID 2212 wrote to memory of 3016 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 32 PID 2212 wrote to memory of 2744 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 36 PID 2212 wrote to memory of 2744 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 36 PID 2212 wrote to memory of 2744 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 36 PID 2212 wrote to memory of 2744 2212 cb6e7a008d3fcb2527e84356399e8ca7.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cb6e7a008d3fcb2527e84356399e8ca7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" cb6e7a008d3fcb2527e84356399e8ca7.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb6e7a008d3fcb2527e84356399e8ca7.exe"C:\Users\Admin\AppData\Local\Temp\cb6e7a008d3fcb2527e84356399e8ca7.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\cb6e7a008d3fcb2527e84356399e8ca7.exeC:\Users\Admin\AppData\Local\Temp\cb6e7a008d3fcb2527e84356399e8ca7.exe startC:\Users\Admin\AppData\Roaming\841CE\92BC4.exe%C:\Users\Admin\AppData\Roaming\841CE2⤵PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\cb6e7a008d3fcb2527e84356399e8ca7.exeC:\Users\Admin\AppData\Local\Temp\cb6e7a008d3fcb2527e84356399e8ca7.exe startC:\Program Files (x86)\CEC9E\lvvm.exe%C:\Program Files (x86)\CEC9E2⤵PID:3016
-
-
C:\Program Files (x86)\LP\C448\F3D1.tmp"C:\Program Files (x86)\LP\C448\F3D1.tmp"2⤵
- Executes dropped EXE
PID:2744
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD544775db9c4563769cf4ac0ef93068a11
SHA119d0357422ea3df35fc18e92dc788c93d227e6ec
SHA256b4ac3eaa647ce97ed4a943359bc75fb12c5e650d8cfbf7ec190d257907930e53
SHA5124825bac8a5842368305e62a59e9ab680a5aab99bbbaf6a685a557fcae6658550a9ac938452faeff92ed530da5f30c845b32b7c1f1d8e76656076acd4e63317de
-
Filesize
600B
MD535a8753f8da06bfca5201fa542ec8167
SHA1f3911da19e49bb7615aadf7a47deab3060d5513d
SHA256a4a9b26aaa6b51769f440d6d0147fea3c327263e22b7c8766b5ff92aea5dff20
SHA51255764c45ee0af720020c2d06e8d17752794e4f486700864549981e55a49024a5d77eef54447e7295a0b9f4ec528157d685c5314881219af0c869be367c47578e
-
Filesize
996B
MD5c2d98efc86b1357b7884013a6c936012
SHA133d3447f37b8718f6de7db0de99127ef92112d9a
SHA256f637a92e46decf30a7fe389556f0a906bc02541eadebd8fdcd7129b0de77a3fc
SHA512b8fa054faa9c76605e68845edadab99e7db10a44905db0b5b39396c5ee0da9a633da579e134d462cefb1125343863964d1050d2334cdfe56c3adeb28b406b5db
-
Filesize
99KB
MD59d83b6d4629b9d0e96bbdb171b0dc5db
SHA1e9bed14c44fe554e0e8385096bbacca494da30b1
SHA256d3a6060ff059a7724a483d82025a9231a61143839b633a6d3842a58ccb5a7d7d
SHA512301187bdcab5ca9942b2c7b7114e37e53e58b5661eef50c389622950d7691993a29f5a825132cf499ca73cdb6637d3f58afdc024cb04fac2b8e01f752209572c