Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
210s -
max time network
243s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 00:02
Static task
static1
Behavioral task
behavioral1
Sample
a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe
Resource
win10v2004-20240319-en
General
-
Target
a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe
-
Size
37KB
-
MD5
38f80bc71d69f2afd987673fc8d044bd
-
SHA1
b36d1172ef54128edcf5ec580fa0107077037730
-
SHA256
a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74
-
SHA512
e1fa6dd0dc39b8eb83109baf71fb5fe999f30458972ed5b82337f6d0d5f00b29413c307bb7b03463f0d21d2ee3d6e288427ce9a10554f1deec1ab2d74c81dcbf
-
SSDEEP
768:LZ+Zxe90i19C92eocaWTmNtY6coZOuLPfBXMqR:LaiZ19C92eocaWTKtNJZOuTfBXMqR
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
pid Process 3056 bcdedit.exe 2112 bcdedit.exe 2140 bcdedit.exe 1964 bcdedit.exe 1040 bcdedit.exe 1936 bcdedit.exe 1508 bcdedit.exe 1612 bcdedit.exe 1844 bcdedit.exe 1152 bcdedit.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\f793b7a.sys xiafet.exe -
Executes dropped EXE 3 IoCs
pid Process 1056 lcm.exe 2528 lsias.exe 1072 xiafet.exe -
Loads dropped DLL 4 IoCs
pid Process 2472 a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe 2472 a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe 1056 lcm.exe 2528 lsias.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xiafet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Measom\\xiafet.exe" xiafet.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2528 set thread context of 2960 2528 lsias.exe 54 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2456 2960 WerFault.exe 54 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2528 lsias.exe 1072 xiafet.exe 1072 xiafet.exe 1072 xiafet.exe 1072 xiafet.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 1072 xiafet.exe 1072 xiafet.exe 1072 xiafet.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 468 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2456 WerFault.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2528 lsias.exe 1072 xiafet.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2472 wrote to memory of 1056 2472 a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe 29 PID 2472 wrote to memory of 1056 2472 a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe 29 PID 2472 wrote to memory of 1056 2472 a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe 29 PID 2472 wrote to memory of 1056 2472 a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe 29 PID 1056 wrote to memory of 2528 1056 lcm.exe 32 PID 1056 wrote to memory of 2528 1056 lcm.exe 32 PID 1056 wrote to memory of 2528 1056 lcm.exe 32 PID 1056 wrote to memory of 2528 1056 lcm.exe 32 PID 2528 wrote to memory of 1072 2528 lsias.exe 33 PID 2528 wrote to memory of 1072 2528 lsias.exe 33 PID 2528 wrote to memory of 1072 2528 lsias.exe 33 PID 2528 wrote to memory of 1072 2528 lsias.exe 33 PID 1072 wrote to memory of 3056 1072 xiafet.exe 34 PID 1072 wrote to memory of 3056 1072 xiafet.exe 34 PID 1072 wrote to memory of 3056 1072 xiafet.exe 34 PID 1072 wrote to memory of 3056 1072 xiafet.exe 34 PID 1072 wrote to memory of 2112 1072 xiafet.exe 35 PID 1072 wrote to memory of 2112 1072 xiafet.exe 35 PID 1072 wrote to memory of 2112 1072 xiafet.exe 35 PID 1072 wrote to memory of 2112 1072 xiafet.exe 35 PID 1072 wrote to memory of 2140 1072 xiafet.exe 36 PID 1072 wrote to memory of 2140 1072 xiafet.exe 36 PID 1072 wrote to memory of 2140 1072 xiafet.exe 36 PID 1072 wrote to memory of 2140 1072 xiafet.exe 36 PID 1072 wrote to memory of 1964 1072 xiafet.exe 37 PID 1072 wrote to memory of 1964 1072 xiafet.exe 37 PID 1072 wrote to memory of 1964 1072 xiafet.exe 37 PID 1072 wrote to memory of 1964 1072 xiafet.exe 37 PID 1072 wrote to memory of 1040 1072 xiafet.exe 38 PID 1072 wrote to memory of 1040 1072 xiafet.exe 38 PID 1072 wrote to memory of 1040 1072 xiafet.exe 38 PID 1072 wrote to memory of 1040 1072 xiafet.exe 38 PID 1072 wrote to memory of 1936 1072 xiafet.exe 39 PID 1072 wrote to memory of 1936 1072 xiafet.exe 39 PID 1072 wrote to memory of 1936 1072 xiafet.exe 39 PID 1072 wrote to memory of 1936 1072 xiafet.exe 39 PID 1072 wrote to memory of 1508 1072 xiafet.exe 40 PID 1072 wrote to memory of 1508 1072 xiafet.exe 40 PID 1072 wrote to memory of 1508 1072 xiafet.exe 40 PID 1072 wrote to memory of 1508 1072 xiafet.exe 40 PID 1072 wrote to memory of 1612 1072 xiafet.exe 41 PID 1072 wrote to memory of 1612 1072 xiafet.exe 41 PID 1072 wrote to memory of 1612 1072 xiafet.exe 41 PID 1072 wrote to memory of 1612 1072 xiafet.exe 41 PID 1072 wrote to memory of 1844 1072 xiafet.exe 42 PID 1072 wrote to memory of 1844 1072 xiafet.exe 42 PID 1072 wrote to memory of 1844 1072 xiafet.exe 42 PID 1072 wrote to memory of 1844 1072 xiafet.exe 42 PID 1072 wrote to memory of 1152 1072 xiafet.exe 43 PID 1072 wrote to memory of 1152 1072 xiafet.exe 43 PID 1072 wrote to memory of 1152 1072 xiafet.exe 43 PID 1072 wrote to memory of 1152 1072 xiafet.exe 43 PID 1072 wrote to memory of 1248 1072 xiafet.exe 19 PID 1072 wrote to memory of 1248 1072 xiafet.exe 19 PID 1072 wrote to memory of 1248 1072 xiafet.exe 19 PID 1072 wrote to memory of 1248 1072 xiafet.exe 19 PID 1072 wrote to memory of 1248 1072 xiafet.exe 19 PID 1072 wrote to memory of 1320 1072 xiafet.exe 20 PID 1072 wrote to memory of 1320 1072 xiafet.exe 20 PID 1072 wrote to memory of 1320 1072 xiafet.exe 20 PID 1072 wrote to memory of 1320 1072 xiafet.exe 20 PID 1072 wrote to memory of 1320 1072 xiafet.exe 20 PID 1072 wrote to memory of 1380 1072 xiafet.exe 21 PID 1072 wrote to memory of 1380 1072 xiafet.exe 21
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1248
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1320
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe"C:\Users\Admin\AppData\Local\Temp\a5df302b5048eef64d951d9f68a96578bd079ef251f6a27ee278c99a6eca8b74.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\lcm.exe"C:\Users\Admin\AppData\Local\Temp\lcm.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\lsias.exe"C:\Users\Admin\AppData\Local\Temp\lsias.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\Measom\xiafet.exe"C:\Users\Admin\AppData\Local\Temp\Measom\xiafet.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON6⤵
- Modifies boot configuration data using bcdedit
PID:3056
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON6⤵
- Modifies boot configuration data using bcdedit
PID:2112
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON6⤵
- Modifies boot configuration data using bcdedit
PID:2140
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON6⤵
- Modifies boot configuration data using bcdedit
PID:1964
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON6⤵
- Modifies boot configuration data using bcdedit
PID:1040
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON6⤵
- Modifies boot configuration data using bcdedit
PID:1936
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON6⤵
- Modifies boot configuration data using bcdedit
PID:1508
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON6⤵
- Modifies boot configuration data using bcdedit
PID:1612
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON6⤵
- Modifies boot configuration data using bcdedit
PID:1844
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe -set TESTSIGNING ON6⤵
- Modifies boot configuration data using bcdedit
PID:1152
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\WQADD6F.bat"5⤵PID:2960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 1166⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1416
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "844197778-5421874441554756392107014615618454053763437781111536675309-344092748"1⤵PID:2496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5bea750cba9f5641ddb32ae44022a156c
SHA189f94f035cf11ab407bb3852c1b2d5a08de97554
SHA25608552f6f3fd2bc67826e7b702a7d02e6e0fbef8fd474f1e436034e8f70aa2a1c
SHA512588230efb8f0fff018595d957e118db8310a3a1ff4dc365723063c62e33fb197c40cb15f2e22aa5bd9004ec7aa1ae06ce1bbd26ef702a22859608c8b0394c37e
-
Filesize
37KB
MD57dbba94859c6d13b02aa6010301d942e
SHA195719bc59b38ea41e2944899de0171a7a064c52e
SHA2568a4c97df18716d25c508608a6baaf8e940dded4f68cb4924943bc94375f4e327
SHA51208151b054efb79826d470abc44f65923e1b42a93490f9428f5f767439d5fe0dca604a4786524a511ca8ea89c8a8286847cc77eed579a345c8e29accab7758a12
-
Filesize
593KB
MD5b765fa6dafe847a21badd35b2db70ce0
SHA18de082342547052dbe43bf9d9df0ec5fc4586eb9
SHA256b943dea63930db983b6d4524dbecf76bc94ece24bc68ee69a658c3e05164ffb9
SHA5124ccdc9bad6e957f5df3f7ccb3cd11085b44fa234334dacbf042ec942ed67b244178681426f85d38d7ca4c5583d5b546a5c43ba6d6c098d5f63522ed06c99c674