Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 23:27 UTC
Static task
static1
Behavioral task
behavioral1
Sample
d757c8f286baaf93380e560c986b6222.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d757c8f286baaf93380e560c986b6222.exe
Resource
win10v2004-20240226-en
General
-
Target
d757c8f286baaf93380e560c986b6222.exe
-
Size
614KB
-
MD5
d757c8f286baaf93380e560c986b6222
-
SHA1
8c6bf2a37004c382c18e6b23ab0b8e5be1569e5d
-
SHA256
830bf8ebb7a9f6b44f657836c6dad8d1cebab16350f402dbf599d4f38e019ed0
-
SHA512
1f69ecc47e5dad5788db34e2def9a4991345a4fac2ef322cd80451ead1f65e6d5af00785f56663055796c3bb7b935f5d74895b31a3075adc1cffb1cb9f666700
-
SSDEEP
12288:P5v8WAA12+eawYcPxrg+v8EUVhF3Z4mxxlSWUcOeTHfkzz+:Px0tzY8xD1AQmXzUcrTHcf+
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2648 Hacker.com.cn.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Hacker.com.cn.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe d757c8f286baaf93380e560c986b6222.exe File opened for modification C:\Windows\Hacker.com.cn.exe d757c8f286baaf93380e560c986b6222.exe -
Modifies data under HKEY_USERS 28 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0029000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{081958F5-C7C8-4E4A-8ACF-69AEC796652A} Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{081958F5-C7C8-4E4A-8ACF-69AEC796652A}\WpadNetworkName = "Network 2" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-67-b7-56-88-80 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-67-b7-56-88-80\WpadDecision = "0" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{081958F5-C7C8-4E4A-8ACF-69AEC796652A}\WpadDecision = "0" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-67-b7-56-88-80\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-67-b7-56-88-80\WpadDecisionTime = 00a8d008557ada01 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{081958F5-C7C8-4E4A-8ACF-69AEC796652A}\ce-67-b7-56-88-80 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-67-b7-56-88-80\WpadDetectedUrl Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0029000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-67-b7-56-88-80\WpadDecisionTime = a01bb83a557ada01 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{081958F5-C7C8-4E4A-8ACF-69AEC796652A}\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{081958F5-C7C8-4E4A-8ACF-69AEC796652A}\WpadDecisionTime = a01bb83a557ada01 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{081958F5-C7C8-4E4A-8ACF-69AEC796652A}\WpadDecisionTime = 00a8d008557ada01 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2228 d757c8f286baaf93380e560c986b6222.exe Token: SeDebugPrivilege 2648 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2648 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2676 2648 Hacker.com.cn.exe 29 PID 2648 wrote to memory of 2676 2648 Hacker.com.cn.exe 29 PID 2648 wrote to memory of 2676 2648 Hacker.com.cn.exe 29 PID 2648 wrote to memory of 2676 2648 Hacker.com.cn.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d757c8f286baaf93380e560c986b6222.exe"C:\Users\Admin\AppData\Local\Temp\d757c8f286baaf93380e560c986b6222.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:2676
-
Network
-
Remote address:8.8.8.8:53Requestiloveu123.sphosting.comIN AResponse
-
Remote address:8.8.8.8:53Requestiloveu123.sphosting.comIN A
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
614KB
MD5d757c8f286baaf93380e560c986b6222
SHA18c6bf2a37004c382c18e6b23ab0b8e5be1569e5d
SHA256830bf8ebb7a9f6b44f657836c6dad8d1cebab16350f402dbf599d4f38e019ed0
SHA5121f69ecc47e5dad5788db34e2def9a4991345a4fac2ef322cd80451ead1f65e6d5af00785f56663055796c3bb7b935f5d74895b31a3075adc1cffb1cb9f666700