Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/04/2024, 16:21
Static task
static1
General
-
Target
-
Size
2.0MB
-
MD5
c7e9746b1b039b8bd1106bca3038c38f
-
SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191
-
SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
-
SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
SSDEEP
49152:FH/1Fdq0wneDrEoYxWFjmYMcKabLVp3diY7kp:FH/1Fdq0nIo2YAcl/NisA
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan" [email protected] -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\A: [email protected] File opened (read-only) \??\B: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\J: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\M: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\X: [email protected] -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\AnVi\splash.mp3 [email protected] File created C:\Program Files (x86)\AnVi\virus.mp3 [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" [email protected] Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" [email protected] -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2236 [email protected] -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeSecurityPrivilege 1236 mofcomp.exe Token: 33 2600 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2600 AUDIODG.EXE Token: 33 2600 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2600 AUDIODG.EXE Token: 33 2236 [email protected] Token: SeIncBasePriorityPrivilege 2236 [email protected] -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] 2236 [email protected] -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1608 2236 [email protected] 31 PID 2236 wrote to memory of 1608 2236 [email protected] 31 PID 2236 wrote to memory of 1608 2236 [email protected] 31 PID 2236 wrote to memory of 1608 2236 [email protected] 31 PID 2236 wrote to memory of 1668 2236 [email protected] 32 PID 2236 wrote to memory of 1668 2236 [email protected] 32 PID 2236 wrote to memory of 1668 2236 [email protected] 32 PID 2236 wrote to memory of 1668 2236 [email protected] 32 PID 2236 wrote to memory of 1320 2236 [email protected] 34 PID 2236 wrote to memory of 1320 2236 [email protected] 34 PID 2236 wrote to memory of 1320 2236 [email protected] 34 PID 2236 wrote to memory of 1320 2236 [email protected] 34 PID 2236 wrote to memory of 1272 2236 [email protected] 36 PID 2236 wrote to memory of 1272 2236 [email protected] 36 PID 2236 wrote to memory of 1272 2236 [email protected] 36 PID 2236 wrote to memory of 1272 2236 [email protected] 36 PID 2236 wrote to memory of 1236 2236 [email protected] 39 PID 2236 wrote to memory of 1236 2236 [email protected] 39 PID 2236 wrote to memory of 1236 2236 [email protected] 39 PID 2236 wrote to memory of 1236 2236 [email protected] 39 PID 1272 wrote to memory of 2028 1272 net.exe 41 PID 1272 wrote to memory of 2028 1272 net.exe 41 PID 1272 wrote to memory of 2028 1272 net.exe 41 PID 1272 wrote to memory of 2028 1272 net.exe 41 PID 1668 wrote to memory of 2020 1668 net.exe 42 PID 1668 wrote to memory of 2020 1668 net.exe 42 PID 1668 wrote to memory of 2020 1668 net.exe 42 PID 1668 wrote to memory of 2020 1668 net.exe 42 PID 1320 wrote to memory of 2012 1320 net.exe 43 PID 1320 wrote to memory of 2012 1320 net.exe 43 PID 1320 wrote to memory of 2012 1320 net.exe 43 PID 1320 wrote to memory of 2012 1320 net.exe 43 PID 1608 wrote to memory of 2008 1608 net.exe 44 PID 1608 wrote to memory of 2008 1608 net.exe 44 PID 1608 wrote to memory of 2008 1608 net.exe 44 PID 1608 wrote to memory of 2008 1608 net.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\net.exenet stop wscsvc2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc3⤵PID:2008
-
-
-
C:\Windows\SysWOW64\net.exenet stop winmgmt /y2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵PID:2020
-
-
-
C:\Windows\SysWOW64\net.exenet start winmgmt2⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start winmgmt3⤵PID:2012
-
-
-
C:\Windows\SysWOW64\net.exenet start wscsvc2⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wscsvc3⤵PID:2028
-
-
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4741⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\buy[1].htm
Filesize985B
MD569d2d338a7178b991a67134e1e72eaa6
SHA120dd78f63cbd873e15087a8d3d9048639f883dac
SHA256921beaa969e6a74ef33305deaf7b5925acd1d2ff5091266f693bfbaa15cad5da
SHA5121b7c0d6fba37ed5af0a604329b3f8d113a92c683662974f1940aa1fdf6b3f064673895b754730237c959dda884f6b7fa508b66ef97011ed97c0bce5b5fb99f40
-
Filesize
443B
MD57fad92afda308dca8acfc6ff45c80c24
SHA1a7fa35e7f90f772fc943c2e940737a48b654c295
SHA25676e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f
SHA51249eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea