Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
171s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 23:37
Static task
static1
Behavioral task
behavioral1
Sample
d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe
Resource
win10v2004-20240226-en
General
-
Target
d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe
-
Size
156KB
-
MD5
8313610121a1a01d985f5b1f48caf78e
-
SHA1
42c0ce70698c18c08ee985a3464e505201ebb9f9
-
SHA256
d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32
-
SHA512
992fc799b34eeaab73cc4e63c912612a9f1bdad4fd9ce8e037285ea8676e03ef49f2cda371c060f12ea79fe8db617c4cdae205a32933e78d92959467a17ca7ad
-
SSDEEP
3072:ZsTOWVcx8jeFvB0Z/I8xSFJKxr2CrILXNoiv:WQIcvqVuJyr2CMLX+S
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" feeaxo.exe -
Executes dropped EXE 1 IoCs
pid Process 1704 feeaxo.exe -
Loads dropped DLL 2 IoCs
pid Process 884 d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe 884 d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /c" d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /m" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /t" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /b" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /v" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /p" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /o" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /r" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /z" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /h" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /q" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /g" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /x" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /s" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /i" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /u" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /a" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /k" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /w" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /n" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /e" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /f" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /d" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /c" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /j" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /l" feeaxo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeaxo = "C:\\Users\\Admin\\feeaxo.exe /y" feeaxo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 884 d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe 1704 feeaxo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 884 d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe 1704 feeaxo.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 884 wrote to memory of 1704 884 d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe 29 PID 884 wrote to memory of 1704 884 d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe 29 PID 884 wrote to memory of 1704 884 d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe 29 PID 884 wrote to memory of 1704 884 d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe"C:\Users\Admin\AppData\Local\Temp\d94878b3191902f93f42cb084e6f588e09293f67f380e896ad5b0bab91807c32.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\feeaxo.exe"C:\Users\Admin\feeaxo.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD586e2a488320ed3acc258eb29ccd36eac
SHA1b5265fb4de5a5365af4a3e52c37447f405fdd501
SHA256751c24fec3ad461a145953722319217b1b8f93dae273d63b94794b5e246604b4
SHA5123571982850b263d27b778c4b05f6d576bba4c6294de163c965c239a84e0e72870c22f006fe95145a77707faa9bf29bbe625c1a5112922b20722c3d533f40e283