Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23/03/2024, 23:50
General
-
Target
301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.exe
-
Size
413KB
-
MD5
3023d7526b479ea3df315a5b1779a43d
-
SHA1
b5ae71b96a28b9353a4f33c5370ac18750937c17
-
SHA256
301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f
-
SHA512
67fe1cf7538e8ef76b6acbba99326af0de58464bf5710ae6fa7b85d73da9a84c58122de6b87c7d9560f0d366de711a95d03be231c1018eacb7489fd32aeb0834
-
SSDEEP
6144:OpZsqlbu151gFomsCfv6hdgnkG6FSXrIiucY6/4sTj3GUcqcPVpNghCQ:Ussu15qlsmShRG6mIiucN42qxqcC
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies security service 2 TTPs 2 IoCs
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
- Modifies security service
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9969084541825130179-1056484498-946034262056648482-11613342356049442023202509"2⤵
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.exe"C:\Users\Admin\AppData\Local\Temp\301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Xjl5h8mE4As5vJ.bat" 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h 301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.bin.exe3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
413KB
MD53023d7526b479ea3df315a5b1779a43d
SHA1b5ae71b96a28b9353a4f33c5370ac18750937c17
SHA256301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f
SHA51267fe1cf7538e8ef76b6acbba99326af0de58464bf5710ae6fa7b85d73da9a84c58122de6b87c7d9560f0d366de711a95d03be231c1018eacb7489fd32aeb0834
-
Filesize
417KB
MD5e00524afdf6afa0445769d0a963cd80d
SHA1b093fa0ccde2a7c65d6723fd0d1e0eae17fcdf51
SHA256182b4438405bd550085c48d4bd5c09f4b884113c92278bc48b6d47bb1d7c1c1f
SHA512d6af78a7776d681fe83f37968d57e063ac9f17d4b8d8115e35b1d532cdedd33707a6092c39b7e5a8d68e9d361597c8a0c224c2ab7139ed5958e4ff1446a14ec9
-
Filesize
9KB
MD550248170d0f755c5a311b61a59181ad9
SHA193486b1a90b7c802ccdccc88c27abac5076c5ef2
SHA256acba531431c5043991a7335011169ccd0025632f78e3925216fdf68edb4a8dca
SHA512cd3d5a511ccdc2e9e95cacb6c7dce02e71afe6eb6ccd32da29f00894da945f51b3eb5c1acdae9b7b1007bc13754dc6fb71f343d8a0c9a8bfca8ba7db773f4d85
-
Filesize
74B
MD5f488b5df4ab36b2fa1c78c041f5a433c
SHA1fe8b77ce17a48de7d7e6f7bfe7b8411701ebb12f
SHA256ce0e7dceca9e877c8ad232acef340c246f6f553e841dbcff18a9b458cd0fae1c
SHA5123df780bf8f3c2b547606f2dfc5552ab5140fdb089681f5945d2aec23d3eeb13d1546ea100881d6c830110c79c60f113788b1fbc7fd674a3578f9e2f76ea54ea7
-
Filesize
249B
MD568e031d1729db228c9a448f15cb30583
SHA17d5b0c77ea1f3b059bfd425f97dc7d780ab7c9d9
SHA2569800cc7f1278e69bceb1ca127bb12d5e45fc9ed104ec0d0eeaf958811bee94e9
SHA5121b77cfed131744b1d7c5f52135806a201ca6c9f2669c0aaa3582dff1094716b6b8e63355a86aa4506fe2b72ca22e0d43df327a72f49bad12d5a46eb0325fa780
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
8KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
252KB
-
Filesize
60KB
-
Filesize
252KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
8KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
252KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
60KB
-
Filesize
252KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
252KB
-
Filesize
8KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
252KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
252KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
352KB