Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 18:01
Behavioral task
behavioral1
Sample
Flame.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Flame.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
cstealer.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
cstealer.pyc
Resource
win10v2004-20231215-en
General
-
Target
Flame.exe
-
Size
16.9MB
-
MD5
93aa6e8b549da8466c54dd90a1a8e76e
-
SHA1
d64733c3b058db001b0368eb66044c303dcecad6
-
SHA256
c328ee0d8c7308d2612122290e81b13f7d1d52e22d5f221a49328a03f56c6449
-
SHA512
1539549a6507f7eeae6d7aedf9c1fe9aabbc3690e836bcd81dcff5f68c9dc3b8df9f05cf4984abc90f73a8c090a5e575172096df7fec930ee6c5e1a9ccc6fe90
-
SSDEEP
393216:vZEkZgf8XgP8AxYDX1+TtIiFGuvB5IjWqn6eclz1SypX8Wjs+d9:RRbXbX71QtIZS3ILn6ecayCes+d9
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 8 IoCs
pid Process 2480 flame.exe 1584 flame.exe 1156 Process not Found 944 icsys.icn.exe 2140 explorer.exe 800 spoolsv.exe 756 svchost.exe 112 spoolsv.exe -
Loads dropped DLL 15 IoCs
pid Process 2908 Flame.exe 2480 flame.exe 1584 flame.exe 1584 flame.exe 1584 flame.exe 1584 flame.exe 1584 flame.exe 1584 flame.exe 1584 flame.exe 1156 Process not Found 2908 Flame.exe 944 icsys.icn.exe 2140 explorer.exe 800 spoolsv.exe 756 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe Flame.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Detects Pyinstaller 7 IoCs
resource yara_rule behavioral1/files/0x0030000000016ce4-6.dat pyinstaller behavioral1/files/0x0030000000016ce4-8.dat pyinstaller behavioral1/files/0x0030000000016ce4-9.dat pyinstaller behavioral1/files/0x0030000000016ce4-130.dat pyinstaller behavioral1/files/0x0030000000016ce4-131.dat pyinstaller behavioral1/files/0x0030000000016ce4-146.dat pyinstaller behavioral1/files/0x0030000000016ce4-147.dat pyinstaller -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2008 schtasks.exe 2284 schtasks.exe 2640 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 2908 Flame.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 944 icsys.icn.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 2140 explorer.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2140 explorer.exe 756 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2908 Flame.exe 2908 Flame.exe 944 icsys.icn.exe 944 icsys.icn.exe 2140 explorer.exe 2140 explorer.exe 800 spoolsv.exe 800 spoolsv.exe 756 svchost.exe 756 svchost.exe 112 spoolsv.exe 112 spoolsv.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2480 2908 Flame.exe 28 PID 2908 wrote to memory of 2480 2908 Flame.exe 28 PID 2908 wrote to memory of 2480 2908 Flame.exe 28 PID 2908 wrote to memory of 2480 2908 Flame.exe 28 PID 2480 wrote to memory of 1584 2480 flame.exe 29 PID 2480 wrote to memory of 1584 2480 flame.exe 29 PID 2480 wrote to memory of 1584 2480 flame.exe 29 PID 2908 wrote to memory of 944 2908 Flame.exe 30 PID 2908 wrote to memory of 944 2908 Flame.exe 30 PID 2908 wrote to memory of 944 2908 Flame.exe 30 PID 2908 wrote to memory of 944 2908 Flame.exe 30 PID 944 wrote to memory of 2140 944 icsys.icn.exe 31 PID 944 wrote to memory of 2140 944 icsys.icn.exe 31 PID 944 wrote to memory of 2140 944 icsys.icn.exe 31 PID 944 wrote to memory of 2140 944 icsys.icn.exe 31 PID 2140 wrote to memory of 800 2140 explorer.exe 32 PID 2140 wrote to memory of 800 2140 explorer.exe 32 PID 2140 wrote to memory of 800 2140 explorer.exe 32 PID 2140 wrote to memory of 800 2140 explorer.exe 32 PID 800 wrote to memory of 756 800 spoolsv.exe 33 PID 800 wrote to memory of 756 800 spoolsv.exe 33 PID 800 wrote to memory of 756 800 spoolsv.exe 33 PID 800 wrote to memory of 756 800 spoolsv.exe 33 PID 756 wrote to memory of 112 756 svchost.exe 34 PID 756 wrote to memory of 112 756 svchost.exe 34 PID 756 wrote to memory of 112 756 svchost.exe 34 PID 756 wrote to memory of 112 756 svchost.exe 34 PID 2140 wrote to memory of 1972 2140 explorer.exe 35 PID 2140 wrote to memory of 1972 2140 explorer.exe 35 PID 2140 wrote to memory of 1972 2140 explorer.exe 35 PID 2140 wrote to memory of 1972 2140 explorer.exe 35 PID 756 wrote to memory of 2008 756 svchost.exe 36 PID 756 wrote to memory of 2008 756 svchost.exe 36 PID 756 wrote to memory of 2008 756 svchost.exe 36 PID 756 wrote to memory of 2008 756 svchost.exe 36 PID 756 wrote to memory of 2284 756 svchost.exe 41 PID 756 wrote to memory of 2284 756 svchost.exe 41 PID 756 wrote to memory of 2284 756 svchost.exe 41 PID 756 wrote to memory of 2284 756 svchost.exe 41 PID 756 wrote to memory of 2640 756 svchost.exe 43 PID 756 wrote to memory of 2640 756 svchost.exe 43 PID 756 wrote to memory of 2640 756 svchost.exe 43 PID 756 wrote to memory of 2640 756 svchost.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\Flame.exe"C:\Users\Admin\AppData\Local\Temp\Flame.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\users\admin\appdata\local\temp\flame.exec:\users\admin\appdata\local\temp\flame.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\users\admin\appdata\local\temp\flame.exec:\users\admin\appdata\local\temp\flame.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:04 /f6⤵
- Creates scheduled task(s)
PID:2008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:05 /f6⤵
- Creates scheduled task(s)
PID:2284
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:06 /f6⤵
- Creates scheduled task(s)
PID:2640
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:1972
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5e30235c81784754ddf9820698fbc60bd
SHA12a4197543db9c00e90ef9ef748598fa41986cce8
SHA2561e0d5f3922b6caf8dc5e9a47c4b8c49e70955becbf9eef559ab12ed9d4f4bd71
SHA51262966acca39ddf5ee5b0d28911bbfea0b5cd7d7cc830e4afb200dd28d3f4ef0245eb79a98b63975b23c346160cec4afd85f610434b9b3ccc1d62934b3f65b0fa
-
Filesize
3.1MB
MD57f0db0f49c753a4b86bc16a4ae30b818
SHA17e71f3d49ef5412099ce957c6949122ec969e420
SHA256c51b5ec2db37cb9bcabd4348ee69959a77af13e1388b9fd40eafb32bf54a2eb5
SHA512bd553b150c6bbd50942fb1722b0f22f3fb07aa32773caaedf133a2827dbf7583620e44955c2589992ed836b37225101b549e07991417ce56e5dc4bcacf31a918
-
Filesize
5.2MB
MD54ea8385150d1f13945964f731cb328db
SHA12b162351961bb0f86cec42802056ffaf2f9c76d8
SHA2567b3664b7ca156d1904439bc141f59c427d993dcbfe0f47220ab6a16903783e6a
SHA51233435ba1f0e7297e6f16b2523f001f96f696d07849cfeb8691dba6311b391fce2ee49c336db4f91a227dd653e02365ceb7bbd6c887fb40c2b1ff053500b4b94b
-
Filesize
135KB
MD56926d35508aa78d41bb800bdc92929c7
SHA13442fde484e0ce3828052356284922aa73ea3813
SHA256a54e084f2c5dd2fda4e16a82821113410b7c768e78f9d180fbc72d621ae9241b
SHA51289afdaa29d586e704c547e19ca663798f041e3afde2c94ffe46cf584c5bf9258a7c9f4e6c156c76e2c149fac3eda4a1388fae4b1e11371deaaf834243761815f
-
Filesize
135KB
MD59d6894062fa439a496dc4645632de6ba
SHA1d6193ca6d8177ac3ecdce2107bd64a2a701f5b20
SHA256e355aa215e660abdbabc9ec91ef4a87418285963f78ab2dc255f1bc550087c51
SHA5121924ed3569e92cb3a74571bb8a204f80b0b476d15935961595154f07d385877064aa52f511778eacfe34f5d8494930a53a10917177417d97be13ea0dc8c6449d
-
Filesize
135KB
MD5cc14bb7e34215daa4b57444f887fcf92
SHA19acbc8ba557c95099f32113651100e26601009f7
SHA2561806adf3070dac6d1411af59e001e99432cfbdb05705633bb2268a71439a8421
SHA512db8c38a717b11a6d110f56ba2ba50e6a71bbce2277bdf49c718d6ce43cb6eae384a3fa35b04f76cdc450e023a89ede6e6612eb6d31868f225e9408a860723447
-
Filesize
4.6MB
MD5170fe6490bae8c9a503797b9056a4675
SHA1b3dd4dd40de57d7fed384bfe5a448aae38428c24
SHA256dc5fc4b183bd4ebdc1c6af02e8327b821d98b17ea4a01f746c8c04d7ab79b5ce
SHA512e0bc928630632f048841fbe9575bf65d8d85b7fce1a095976e52595ad5526d419b78973ff2a077e656decfb3b89d130276b5bf873722f145af27dbb456235873
-
Filesize
135KB
MD5c506b02b2c194c35a93117e153ecfe9a
SHA1e27f1d6279b22f0eaaac4d60da18f62b5154f606
SHA25635ae11797b46df8aa86997ea075ea2c2608092a9847a069cfc908b4920749ca6
SHA5120c3f948cc4c36e49f867a1df8f7273de15122cf93e89ae2f4cac2e99dcc5bbfca75b3c403eabac099073903e6fd6b42f330f86e7b9943fe217f38fc14312f72f
-
Filesize
21KB
MD5bcb8b9f6606d4094270b6d9b2ed92139
SHA1bd55e985db649eadcb444857beed397362a2ba7b
SHA256fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118
SHA512869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9
-
Filesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
Filesize
21KB
MD520ddf543a1abe7aee845de1ec1d3aa8e
SHA10eaf5de57369e1db7f275a2fffd2d2c9e5af65bf
SHA256d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8
SHA51296dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd
-
Filesize
21KB
MD54380d56a3b83ca19ea269747c9b8302b
SHA10c4427f6f0f367d180d37fc10ecbe6534ef6469c
SHA256a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a
SHA5121c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4
-
Filesize
21KB
MD52554060f26e548a089cab427990aacdf
SHA18cc7a44a16d6b0a6b7ed444e68990ff296d712fe
SHA2565ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044
SHA512fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506
-
Filesize
2.3MB
MD587cc806e91ad1c03c7689d02be097f6d
SHA1a94810013ce026645005d8d41894d12d7d973391
SHA25692920c67acebe7df8916172acb719946929983508a75deb66c2e0490e1d27eb9
SHA51257c3b39424094c50b3cbc15735f4df0342fd41dbb45ad46b1d481a8e5abd78509e4872f92e374e5bd10d8856ff912ece07f8d7a6658d41365629ed9b2738be9c
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
Filesize
3.0MB
MD55c05c03c8f3fcc95e7e00fa77b881a97
SHA167eb648251448df8bae12adc596b1a17014d2260
SHA256f997b3001cb28f7c98ec3e2e07db0f0e5414d0c3a9f5f27420449795759ab8ba
SHA5126e976be17bddba276d9d1810df925772c7cff8f667fca67e04a00be4eefee881e29245f0a17935c4fef1cefe6cf6c09c8fba37e92662f1e42c12f2d9760ad469
-
Filesize
2.4MB
MD54a35f1c11edb88e0a83d0a362e2f786b
SHA126570a17eb66833903e943d304258a23ddcf3dda
SHA2564dcc0dbd17e4d5af945503d13f2aa6899b6a1800ed82710c981775f6615910e5
SHA512b0dc3c90f0b371e15c91822920d3e8f80a3a10f6056146dcfca905516b54947b063244bcdeb62465939027d618c3a7c529646f6aefacca9021ceae7158d48fe1
-
Filesize
2.0MB
MD59f0fda0c4661a614773a60dd9a7d2b38
SHA120a0777eed9b29cb1b7c56ec43343ce729662dd5
SHA2563dd40a34b4d808f70df7b9a2a2efa602eca8cc208d2024faa0274c247df02683
SHA51228e40bb7179840be993420d9ee73dd8313f280f98e75b9ea01dc895b2a75b9584c9496eb0af9295753a54861aa869ca05a9d4a7e5513e31096367c1fe42e40a2
-
Filesize
5.5MB
MD5e49a1da124cf6ff6a331b2bdf1f814eb
SHA1192c532ae2ff8d8289c65ae73e2c5314006faebf
SHA256b2da5b97d3ff5fd40f978686d01e84d5afaa824ff12ec33fc0edfe780c0079c8
SHA51211fa5e80534d11a3b1dfd1d54aabf1de8a0fea3b6f502249ee81a35d7695156141cf5ff66cd83cee46e23a36291f1e8d0efdd40d9779131278c13c8b6e37f90c