Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/03/2024, 02:02
Static task
static1
Behavioral task
behavioral1
Sample
047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe
Resource
win10v2004-20240226-en
General
-
Target
047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe
-
Size
852KB
-
MD5
e04213f27f4e2c763e0b8910f7743af3
-
SHA1
2707a70bfb085112cb02c82c738f752a4e789825
-
SHA256
047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547
-
SHA512
423039cd63fac7e3ceda72bf26695cc94339b1105b4c1a0bf603364e239658b30be841c47e781da867ff1ea0f22428c589ce3daac2c3834ef58e552fdafb242e
-
SSDEEP
24576:2deM8k31Q2B7oVSRZw/bO/PVggnoGhkOF8rcbfdaMQ8NNr+OZQw6F77GEm+pV0kn:8e831bEOOyy
Malware Config
Signatures
-
Detects PowerShell content designed to retrieve passwords from host 13 IoCs
resource yara_rule behavioral1/memory/1244-0-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-6-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-7-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-8-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-9-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-10-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-12-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-14-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-15-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-23-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-21-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-20-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword behavioral1/memory/1244-18-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_PWSH_PasswordCredential_RetrievePassword -
detects Windows exceutables potentially bypassing UAC using eventvwr.exe 13 IoCs
resource yara_rule behavioral1/memory/1244-0-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-6-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-7-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-8-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-9-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-10-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-12-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-14-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-15-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-23-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-21-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-20-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer behavioral1/memory/1244-18-0x0000000000190000-0x0000000000238000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost\\svchost.exe" 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\\svchost\\svchost.exe" 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe 2460 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe Token: SeDebugPrivilege 2460 taskmgr.exe Token: 33 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe Token: SeIncBasePriorityPrivilege 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe 2460 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1244 wrote to memory of 2460 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe 30 PID 1244 wrote to memory of 2460 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe 30 PID 1244 wrote to memory of 2460 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe 30 PID 1244 wrote to memory of 2460 1244 047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe"C:\Users\Admin\AppData\Local\Temp\047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD55e5949ab86f7e6eb19f2a7d1d11313e9
SHA14a92320fc66ef89ae83584962371fe2d7543ffa1
SHA256581df2cddc7a7b8753b6f7a448ef410500222a70c265e481ce4bd815d3ac0db6
SHA512dc5f4d1db3484512cc042f566570b9c4c91372a8fa22039d953597df81d5b616e285a0e7893e77d9d9f8ecd7ffed3a8983a62fca4f54159ccd7cf19fb261065c