Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 23:16
Static task
static1
Behavioral task
behavioral1
Sample
8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe
Resource
win10v2004-20240226-en
General
-
Target
8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe
-
Size
3.9MB
-
MD5
e50f625af23074889460dc76e73f9c40
-
SHA1
ca3f32c8bce1f7b1b8f36e03928feed509ec8e97
-
SHA256
8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b
-
SHA512
b3f3136921db681633b6ab7e09cd11de39bdd30959e32b2751d4a175edb42fb154c0e1a41e0c9c3ba158192a7571807a6bfd1bfab344ec67f73501fd91b591d7
-
SSDEEP
98304:RSptXL6pUrrW1FpuvDcX9Gdsd/DQ1C75vLpve:4tbIOebX9GqBU05zpG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2956 explorer.exe 2492 spoolsv.exe 2488 svchost.exe 3068 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 2956 explorer.exe 2956 explorer.exe 2492 spoolsv.exe 2492 spoolsv.exe 2488 svchost.exe 2488 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 2956 explorer.exe 2956 explorer.exe 2492 spoolsv.exe 2492 spoolsv.exe 2488 svchost.exe 2488 svchost.exe 3068 spoolsv.exe 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 3068 spoolsv.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2488 svchost.exe 2956 explorer.exe 2488 svchost.exe 2956 explorer.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe 2956 explorer.exe 2488 svchost.exe 2956 explorer.exe 2488 svchost.exe 2956 explorer.exe 2488 svchost.exe 2488 svchost.exe 2488 svchost.exe 2488 svchost.exe 2488 svchost.exe 2956 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2956 explorer.exe 2488 svchost.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2492 spoolsv.exe 2492 spoolsv.exe 2492 spoolsv.exe 2492 spoolsv.exe 2488 svchost.exe 2488 svchost.exe 2488 svchost.exe 2488 svchost.exe 3068 spoolsv.exe 3068 spoolsv.exe 3068 spoolsv.exe 3068 spoolsv.exe 2956 explorer.exe 2956 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2956 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 28 PID 1224 wrote to memory of 2956 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 28 PID 1224 wrote to memory of 2956 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 28 PID 1224 wrote to memory of 2956 1224 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 28 PID 2956 wrote to memory of 2492 2956 explorer.exe 29 PID 2956 wrote to memory of 2492 2956 explorer.exe 29 PID 2956 wrote to memory of 2492 2956 explorer.exe 29 PID 2956 wrote to memory of 2492 2956 explorer.exe 29 PID 2492 wrote to memory of 2488 2492 spoolsv.exe 30 PID 2492 wrote to memory of 2488 2492 spoolsv.exe 30 PID 2492 wrote to memory of 2488 2492 spoolsv.exe 30 PID 2492 wrote to memory of 2488 2492 spoolsv.exe 30 PID 2488 wrote to memory of 3068 2488 svchost.exe 31 PID 2488 wrote to memory of 3068 2488 svchost.exe 31 PID 2488 wrote to memory of 3068 2488 svchost.exe 31 PID 2488 wrote to memory of 3068 2488 svchost.exe 31 PID 2488 wrote to memory of 1488 2488 svchost.exe 32 PID 2488 wrote to memory of 1488 2488 svchost.exe 32 PID 2488 wrote to memory of 1488 2488 svchost.exe 32 PID 2488 wrote to memory of 1488 2488 svchost.exe 32 PID 2488 wrote to memory of 636 2488 svchost.exe 36 PID 2488 wrote to memory of 636 2488 svchost.exe 36 PID 2488 wrote to memory of 636 2488 svchost.exe 36 PID 2488 wrote to memory of 636 2488 svchost.exe 36 PID 2488 wrote to memory of 1788 2488 svchost.exe 38 PID 2488 wrote to memory of 1788 2488 svchost.exe 38 PID 2488 wrote to memory of 1788 2488 svchost.exe 38 PID 2488 wrote to memory of 1788 2488 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe"C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3068
-
-
C:\Windows\SysWOW64\at.exeat 23:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1488
-
-
C:\Windows\SysWOW64\at.exeat 23:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:636
-
-
C:\Windows\SysWOW64\at.exeat 23:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1788
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD53b8e23123dc1c04b3d67acf1a250e372
SHA11008823610ab7ab5a4c5222d6e6ca17522921cc2
SHA25636013f5647499e668f2d59bbbba5923b66b08b5bb300482998f12bddf7a76252
SHA5127fb0f619ddfb4896769221689bf1362f16ff820f59a6b4ba12a67e0b90023bc613d540dabb64b97d14dd1cbf0662016d0cdba6db8926f84fc7e5572a58e2db00
-
Filesize
3.9MB
MD596cd97d1fad8287b2eda99e0e415a590
SHA1d53dc9b372bb2fafdfe2c9de009e7fa7308c4694
SHA2562a51748432b47607ed9f5c981af42299b1dc50ee86ba9550a3a2684ccd75d512
SHA512aae27c1e4f1f38f65bb9299ec6440f07a2974d65edb6423690b00e5ae43125ea5a3e3b92d804576312aa172027fbbb1320a02c0c60d480fb3a6c5186200eaee8
-
Filesize
3.9MB
MD5df2cf1dbb6eb5b70c9e7f2a6069197b7
SHA1445e2faf692e0ea7e5f92144ed3e83bde8809a44
SHA2565f0329dcd30623ddc085fc22268e192d7799f4f3a814a8392283fd0caf5ef111
SHA512ec461a6bcc31d4438455e69b96f1d87bbeef5f0fa684340657d3cabfeb6f7dfbad0c86b7ddfa258c6585e8e66e1dc0775d468e9004d67964e68275a176fa6bb5
-
Filesize
3.9MB
MD5eec21fd191c9b3e64098eb75cec30423
SHA1abf611929b9793592e11f530c59422dddd12a0f3
SHA25602c04ed6b78f099d2f10bf75fdab612198e68dd10f5cd0e5f3d28cb6cfdce5fa
SHA5125c052a9567c8ec55abb480836060b512378a0856a1ef1084ae273dd9c00815a1264807719b3c63662993e481c0881c313399087c985d34caa0f4e81bdb7e32bc