Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/04/2024, 01:11
Behavioral task
behavioral1
Sample
a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe
Resource
win7-20240221-en
windows7-x64
13 signatures
150 seconds
General
-
Target
a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe
-
Size
435KB
-
MD5
d39c73260a157d2c296e7d264e13141f
-
SHA1
6eaab20e6ba719f88311e644064227e9b1a730f2
-
SHA256
a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece
-
SHA512
97028a63f67f07387945b2859c83524a96dc816c7b05bd714980d976305d001e011f9fb335947da071c5c440a004acd26b5f91f373c3e8fc3e21dacb7c3f80e7
-
SSDEEP
12288:q6Wq4aaE6KwyF5L0Y2D1PqLy6Wq4aaE6KwyF5LL:IthEVaPqLwthE7
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
UPX dump on OEP (original entry point) 20 IoCs
resource yara_rule behavioral1/memory/1692-0-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/files/0x000c00000001224e-4.dat UPX behavioral1/memory/2416-5-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/files/0x0007000000015c7c-66.dat UPX behavioral1/memory/1692-730-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-1305-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-2356-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-2622-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-3411-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-4703-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-5757-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-6806-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-7863-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-9177-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-10229-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-11273-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-12322-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-13635-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-14686-0x0000000000400000-0x00000000004C2000-memory.dmp UPX behavioral1/memory/2416-15735-0x0000000000400000-0x00000000004C2000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
pid Process 2416 svhost.exe -
resource yara_rule behavioral1/memory/1692-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x000c00000001224e-4.dat upx behavioral1/memory/2416-5-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x0007000000015c7c-66.dat upx behavioral1/memory/1692-730-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-1305-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-2356-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-2622-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-3411-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-4703-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-5757-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-6806-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-7863-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-9177-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-10229-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-11273-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-12322-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-13635-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-14686-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2416-15735-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\l: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\s: svhost.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1692-730-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-1305-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-2356-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-2622-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-3411-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-4703-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-5757-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-6806-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-7863-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-9177-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-10229-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-11273-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-12322-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-13635-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-14686-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/2416-15735-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2416 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe 2416 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2416 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 28 PID 1692 wrote to memory of 2416 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 28 PID 1692 wrote to memory of 2416 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 28 PID 1692 wrote to memory of 2416 1692 a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe"C:\Users\Admin\AppData\Local\Temp\a03613764f6ab5c2e7bd44e9c020f612eae0733f7a7e8ee7bbfdc12798df9ece.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435KB
MD5b81727fd86b8155f736553096fbcfbec
SHA1edadf3d5d4e92446c60c1298b972b242ae3824f7
SHA256d3e9a2a4dd79a40e9dac44eb18d031b18d0d4752d81ed27075cdd26788bf5aa9
SHA512f2e389b17187fa258f25c640d2fd74c4cdd43e4b033a742c20330ea5c9c4a792b9f3ea4aabebb5b680aebe62494da2c47b64d5f429aa50ab61e192f99f95ba70
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
435KB
MD5dd70b1945a14441e6ed7e3e549a979c6
SHA126dd28d697b7c2732e5eddc2faaba2b8dad8620f
SHA2568510b98425aea3d932755c13174f2ffa828c79623f74e35c3b35027da25aefd9
SHA5129d14b1dbc2cae32012591f84d89d99f26551099d6285d1f9795e424fafb0b0758d7d87dc89c5ab3900cf2a9e937ddbea117db3b7163bf4d27a69252cd41822c0