Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Seven.exe

windows10-2004-x64

1

Seven.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    66s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/04/2024, 17:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Seven.exe

  • Size

    139KB

  • MD5

    6503f847c3281ff85b304fc674b62580

  • SHA1

    947536e0741c085f37557b7328b067ef97cb1a61

  • SHA256

    afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f

  • SHA512

    abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174

  • SSDEEP

    3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8lto:miS4ompB9S3BZi0a1G78IVhcTct

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 7 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Seven.exe
    "C:\Users\Admin\AppData\Local\Temp\Seven.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • UAC bypass
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
      2⤵
        PID:3944
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\SevenCopy.exe
        2⤵
        • Drops file in System32 directory
        PID:2992
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
        2⤵
        • Drops file in System32 directory
        PID:2140
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
        2⤵
        • Drops file in System32 directory
        PID:2440
      • C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
        "C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"
        2⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        PID:936
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3508
    • C:\Windows\System32\SevenCopy.exe
      C:\Windows\System32\SevenCopy.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:3736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
      Filesize

      139KB

      MD5

      6503f847c3281ff85b304fc674b62580

      SHA1

      947536e0741c085f37557b7328b067ef97cb1a61

      SHA256

      afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f

      SHA512

      abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ji0oi2nk.fec.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\System32\Seven.dll
      Filesize

      1.0MB

      MD5

      ef5402fefa4760111f2c60d290d488c5

      SHA1

      bdba28ab436a10731b69d1d7e3dea06f80e11d28

      SHA256

      01650c6ab1cfc88e9efd0a83a3d491d878016444ad9d19cce1495c89a71dafa2

      SHA512

      b467605ed56cbacf6d598f7a83998968e390b462f5bb516d4949d18f5087eaf68f32f09fbca472353653bf5fb2b20ba01f349219dab25928e95f009f7b6d7708

      Download Submit

    • C:\Windows\System32\Seven.runtimeconfig.json
      Filesize

      340B

      MD5

      253333997e82f7d44ea8072dfae6db39

      SHA1

      03b9744e89327431a619505a7c72fd497783d884

      SHA256

      28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

      SHA512

      56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

      Download Submit

    • memory/2036-0-0x000001F952A20000-0x000001F952A42000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2036-11-0x000001F939B10000-0x000001F939B20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2036-10-0x00007FFAA2230000-0x00007FFAA2CF1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2036-14-0x00007FFAA2230000-0x00007FFAA2CF1000-memory.dmp

      Filesize

      10.8MB

      Download