Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 21:15
Static task
static1
Behavioral task
behavioral1
Sample
d720b49b48eddeabdb907799af05318b.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
d720b49b48eddeabdb907799af05318b.exe
Resource
win10v2004-20240226-en
General
-
Target
d720b49b48eddeabdb907799af05318b.exe
-
Size
1.1MB
-
MD5
d720b49b48eddeabdb907799af05318b
-
SHA1
1624a3f0c48f9116f41dbba054af0d1fd01b11d3
-
SHA256
42a535d992bfeeb36d8f614d39d5546f7873dd4b9f4f78aead09bbffaa1b8aa2
-
SHA512
43f3f1c073ad803ea72eaa92c353a0cc7058afdd7f554a925594ae6479c56b65b451a56ee110b18b861f2d0724fe3c3711d9bc82447fe5eeaf7d1aa940a0b442
-
SSDEEP
24576:27Fm3nXFsCwGAhHRbujLPe+c3khOR43ZhOAZMHRBVpbdyUlC:27Fm3ndwBbbEPfMwORIhOAuHRBV38
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JfbtqOH15ZaZy.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JfbtqOH15ZaZy.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JfbtqOH15ZaZy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\4 =€59#¨´[0%üp¸€°@$ð$(Ð=|Ø%<Ð4%ô8ÀÅð°àpØ@= }€päÀÐ>yÀœÐ4ÐøÐ@4 @Š°@0½)×í¢œ«Šm_}ì"rº,¡û@ ŠéP42'+¢Ê´¨®š+jبŸP42'+¢Ê´h¢ÐºØh®+rÀ@@@ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" JfbtqOH15ZaZy.exe -
Modifies Installed Components in the registry 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\4@°`°HðhŒPˆ,Ö?'=à€ðóÐàS€*@@€ëÀ(i€@3@ @PH€43d¸€`Ð4ÐøÐP<Ä`Ð44Ð/ À7Ð0P@4ôÀä á¶Ú@ÿ÷+” ¢rº,¡û@r‰¿¦H¿r¹¦º¹Ëlü$®]€Ð <€Ð†ÛiÿðÃ&‰Ê貇íÊ&þ™"ýÇ«¶ÏÂHð€ÊíÐÀ€o {€.¬ì) lá+ 3€jà'ùô4ÀÔœ¼´Àp °*@ð3ÃØ#€,Ú¾€Ÿ=ˆó@%° €·ÂNÐÐ#€@Î4p )×í¢œ«Šm_}ì"rº,¡û@ ŠéP42'+¢Ê´¨®š+jبŸP42'+¢Ê´h¢ÐºØh®+rÐÓ=×5ÓŽ;d5÷OuçNôÓMÓ-@ÐPDµ@@š²§‚Ú'Ô yÙ¨Ý@ÐPÈœ®‹(~Тºh«b¢}@ÐPÈœ®‹(~Њg¬µ©©Šx< 44p JfbtqOH15ZaZy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components JfbtqOH15ZaZy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\4@°`°HðhŒPˆ,Ö?'=à€ðóÐàS€*@@€ëÀ(i€@3@ @PH€43d¸€`Ð4ÐøÐP<Ä`Ð44Ð/ À7Ð0P@4ôÀä á¶Ú@ÿ÷+” ¢rº,¡û@r‰¿¦H¿r¹¦º¹Ëlü$®]€Ð <€Ð†ÛiÿðÃ&‰Ê貇í JfbtqOH15ZaZy.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\4@°`°HðhŒPˆ,Ö?'=à€ðóÐàS€*@@€ëÀ(i€@3@ @PH€43d¸€`Ð4ÐøÐP<Ä`Ð44Ð/ À7Ð0P@4ôÀä á¶Ú@ÿ÷+” ¢rº,¡û@r‰¿¦H¿r¹¦º¹Ë JfbtqOH15ZaZy.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components JfbtqOH15ZaZy.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components\4@°`°HðhŒPˆ,Ö?'=à€ðóÐàS€*@@€ëÀ(i€@3@ @PH€43d¸€`Ð4ÐøÐP<Ä`Ð44Ð/ À7Ð0P@4ôÀä á¶Ú@ÿ÷+” ¢rº,¡û@r‰¿¦H¿r¹¦º¹Ë JfbtqOH15ZaZy.exe -
Executes dropped EXE 2 IoCs
pid Process 3028 JfbtqOH15ZaZy.exe 2576 JfbtqOH15ZaZy.exe -
Loads dropped DLL 2 IoCs
pid Process 2192 d720b49b48eddeabdb907799af05318b.exe 3028 JfbtqOH15ZaZy.exe -
resource yara_rule behavioral1/memory/2576-26-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2576-29-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2576-33-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2576-43-0x0000000000400000-0x0000000000474000-memory.dmp upx behavioral1/memory/2576-44-0x0000000000400000-0x0000000000474000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate Client 40705 = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\PUNtwHgRwPmjGT.exe" d720b49b48eddeabdb907799af05318b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4 =€59#¨´[0%üp¸€°@$ð$(Ð=|Ø%<Ð4%ô8ÀÅð°àpØ@= }€päÀÐ>yÀœÐ4ÐøÐ@4 @Š°@0½)×í¢œ«Šm_}ì"rº,¡û@ ŠéP42'+¢Ê´¨®š+jبŸP42'+¢Ê´h¢ÐºØh®+rÀ@@@ ¼ @4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" JfbtqOH15ZaZy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\4 =€59#¨´[0%üp¸€°@$ð$(Ð=|Ø%<Ð4%ô8ÀÅð°àpØ@= }€päÀÐ>yÀœÐ4ÐøÐ@4 @Š°@0½)×í¢œ«Šm_}ì"rº,¡û@ ŠéP42'+¢Ê´¨®š+jبŸP42 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" JfbtqOH15ZaZy.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JfbtqOH15ZaZy.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2192 set thread context of 3028 2192 d720b49b48eddeabdb907799af05318b.exe 28 PID 3028 set thread context of 2576 3028 JfbtqOH15ZaZy.exe 29 -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2380 reg.exe 2144 reg.exe 2400 reg.exe 2416 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 2576 JfbtqOH15ZaZy.exe Token: SeCreateTokenPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeAssignPrimaryTokenPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeLockMemoryPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeIncreaseQuotaPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeMachineAccountPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeTcbPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeSecurityPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeTakeOwnershipPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeLoadDriverPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeSystemProfilePrivilege 2576 JfbtqOH15ZaZy.exe Token: SeSystemtimePrivilege 2576 JfbtqOH15ZaZy.exe Token: SeProfSingleProcessPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeIncBasePriorityPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeCreatePagefilePrivilege 2576 JfbtqOH15ZaZy.exe Token: SeCreatePermanentPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeBackupPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeRestorePrivilege 2576 JfbtqOH15ZaZy.exe Token: SeShutdownPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeDebugPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeAuditPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeSystemEnvironmentPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeChangeNotifyPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeRemoteShutdownPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeUndockPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeSyncAgentPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeEnableDelegationPrivilege 2576 JfbtqOH15ZaZy.exe Token: SeManageVolumePrivilege 2576 JfbtqOH15ZaZy.exe Token: SeImpersonatePrivilege 2576 JfbtqOH15ZaZy.exe Token: SeCreateGlobalPrivilege 2576 JfbtqOH15ZaZy.exe Token: 31 2576 JfbtqOH15ZaZy.exe Token: 32 2576 JfbtqOH15ZaZy.exe Token: 33 2576 JfbtqOH15ZaZy.exe Token: 34 2576 JfbtqOH15ZaZy.exe Token: 35 2576 JfbtqOH15ZaZy.exe Token: SeDebugPrivilege 2576 JfbtqOH15ZaZy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2576 JfbtqOH15ZaZy.exe 2576 JfbtqOH15ZaZy.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2192 wrote to memory of 3028 2192 d720b49b48eddeabdb907799af05318b.exe 28 PID 2192 wrote to memory of 3028 2192 d720b49b48eddeabdb907799af05318b.exe 28 PID 2192 wrote to memory of 3028 2192 d720b49b48eddeabdb907799af05318b.exe 28 PID 2192 wrote to memory of 3028 2192 d720b49b48eddeabdb907799af05318b.exe 28 PID 2192 wrote to memory of 3028 2192 d720b49b48eddeabdb907799af05318b.exe 28 PID 2192 wrote to memory of 3028 2192 d720b49b48eddeabdb907799af05318b.exe 28 PID 2192 wrote to memory of 3028 2192 d720b49b48eddeabdb907799af05318b.exe 28 PID 2192 wrote to memory of 3028 2192 d720b49b48eddeabdb907799af05318b.exe 28 PID 3028 wrote to memory of 2576 3028 JfbtqOH15ZaZy.exe 29 PID 3028 wrote to memory of 2576 3028 JfbtqOH15ZaZy.exe 29 PID 3028 wrote to memory of 2576 3028 JfbtqOH15ZaZy.exe 29 PID 3028 wrote to memory of 2576 3028 JfbtqOH15ZaZy.exe 29 PID 3028 wrote to memory of 2576 3028 JfbtqOH15ZaZy.exe 29 PID 3028 wrote to memory of 2576 3028 JfbtqOH15ZaZy.exe 29 PID 3028 wrote to memory of 2576 3028 JfbtqOH15ZaZy.exe 29 PID 3028 wrote to memory of 2576 3028 JfbtqOH15ZaZy.exe 29 PID 3028 wrote to memory of 2576 3028 JfbtqOH15ZaZy.exe 29 PID 3028 wrote to memory of 2576 3028 JfbtqOH15ZaZy.exe 29 PID 3028 wrote to memory of 2576 3028 JfbtqOH15ZaZy.exe 29 PID 2576 wrote to memory of 2052 2576 JfbtqOH15ZaZy.exe 30 PID 2576 wrote to memory of 2052 2576 JfbtqOH15ZaZy.exe 30 PID 2576 wrote to memory of 2052 2576 JfbtqOH15ZaZy.exe 30 PID 2576 wrote to memory of 2052 2576 JfbtqOH15ZaZy.exe 30 PID 2576 wrote to memory of 2652 2576 JfbtqOH15ZaZy.exe 31 PID 2576 wrote to memory of 2652 2576 JfbtqOH15ZaZy.exe 31 PID 2576 wrote to memory of 2652 2576 JfbtqOH15ZaZy.exe 31 PID 2576 wrote to memory of 2652 2576 JfbtqOH15ZaZy.exe 31 PID 2576 wrote to memory of 2640 2576 JfbtqOH15ZaZy.exe 33 PID 2576 wrote to memory of 2640 2576 JfbtqOH15ZaZy.exe 33 PID 2576 wrote to memory of 2640 2576 JfbtqOH15ZaZy.exe 33 PID 2576 wrote to memory of 2640 2576 JfbtqOH15ZaZy.exe 33 PID 2576 wrote to memory of 2736 2576 JfbtqOH15ZaZy.exe 35 PID 2576 wrote to memory of 2736 2576 JfbtqOH15ZaZy.exe 35 PID 2576 wrote to memory of 2736 2576 JfbtqOH15ZaZy.exe 35 PID 2576 wrote to memory of 2736 2576 JfbtqOH15ZaZy.exe 35 PID 2052 wrote to memory of 2380 2052 cmd.exe 38 PID 2052 wrote to memory of 2380 2052 cmd.exe 38 PID 2052 wrote to memory of 2380 2052 cmd.exe 38 PID 2052 wrote to memory of 2380 2052 cmd.exe 38 PID 2640 wrote to memory of 2400 2640 cmd.exe 39 PID 2640 wrote to memory of 2400 2640 cmd.exe 39 PID 2640 wrote to memory of 2400 2640 cmd.exe 39 PID 2640 wrote to memory of 2400 2640 cmd.exe 39 PID 2652 wrote to memory of 2144 2652 cmd.exe 40 PID 2652 wrote to memory of 2144 2652 cmd.exe 40 PID 2652 wrote to memory of 2144 2652 cmd.exe 40 PID 2652 wrote to memory of 2144 2652 cmd.exe 40 PID 2736 wrote to memory of 2416 2736 cmd.exe 41 PID 2736 wrote to memory of 2416 2736 cmd.exe 41 PID 2736 wrote to memory of 2416 2736 cmd.exe 41 PID 2736 wrote to memory of 2416 2736 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\d720b49b48eddeabdb907799af05318b.exe"C:\Users\Admin\AppData\Local\Temp\d720b49b48eddeabdb907799af05318b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\JfbtqOH15ZaZy.exeC:\Users\Admin\AppData\Local\Temp\JfbtqOH15ZaZy.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\JfbtqOH15ZaZy.exeC:\Users\Admin\AppData\Local\Temp\JfbtqOH15ZaZy.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
PID:2380
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JfbtqOH15ZaZy.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JfbtqOH15ZaZy.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JfbtqOH15ZaZy.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JfbtqOH15ZaZy.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
PID:2400
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\:*:Enabled:Windows Messanger" /f5⤵
- Modifies registry key
PID:2416
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5b57ff3b288a59787d133b529c3b90e17
SHA1592b6efca6a553254b25c679fd2fc70ebc585d67
SHA2562ebb6fec641fbbf3eff4e20b26eca4c971387fcaf9514e6f277aaa6b72a533d0
SHA5123e8c6882563c93c2ad805bee9cad5a57801e0cbb9afeae4f11aa6f21ff393149010c045373d84a41ac69124ccf33c905402a92d8e7c987728c8cc37a69bb002e
-
Filesize
1.1MB
MD57d0db0748511368d88dd757be2d5fea1
SHA132b4b33d9e7329431d992872a35a2d585102f964
SHA25670c96db5f76d1ca9481a466adc29ce4bc28ae99f87e686f25e1c8685e25c62ee
SHA512176c91c79aeafbd7b0059b58f30ebc6d863b5189e018febb7e50e2e1c000bb8f02f580dba293339ffe3ef3c43f4ffda07dd1d9bedf2fc77f31ccbd28603ea70b
-
Filesize
33B
MD5c442162d7f2b0d8f618df617787444f4
SHA189c424d0a34233f58a137b882d26c97b7e7ca3d6
SHA25661f07c89391d7ab353f671a3750ea09382c783b4230c48f50bae0d33286e55ad
SHA512a54342a7c204f3050bbc48af957af7140fc9e8ff7ac1e0d0e3b5c4f5f95e142b25314b2aa9feaa0ff1213e9a62a67ed29d93096bcc8eb15e1f899ea9caed31a2