Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/05/2024, 19:11
Behavioral task
behavioral1
Sample
19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
Resource
win10v2004-20240508-en
General
-
Target
19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe
-
Size
225KB
-
MD5
affcb8c8fa1604c96af2a02fcdc53245
-
SHA1
51fdeeee539dd4ec719a3057ced7225bc7a3cd35
-
SHA256
19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9
-
SHA512
c3b2b4a3503535cafef1e07330cd75254f37b4c8e50a732569f63b074d010cf61de3a5580b50190a42cb6ccbc4a0dbbc0b7c43bcd21f61167cdd572f230c4ae0
-
SSDEEP
3072:8vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u8vMSRW:8vEN2U+T6i5LirrllHy4HUcMQY6vMSk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
UPX dump on OEP (original entry point) 11 IoCs
resource yara_rule behavioral1/memory/2084-1-0x0000000000400000-0x0000000000435000-memory.dmp UPX behavioral1/files/0x00360000000144e9-6.dat UPX behavioral1/memory/2084-8-0x00000000004D0000-0x0000000000505000-memory.dmp UPX behavioral1/files/0x000800000001470b-20.dat UPX behavioral1/files/0x0008000000014983-34.dat UPX behavioral1/memory/1476-51-0x0000000000400000-0x0000000000435000-memory.dmp UPX behavioral1/memory/2624-54-0x0000000000400000-0x0000000000435000-memory.dmp UPX behavioral1/memory/2084-55-0x0000000000400000-0x0000000000435000-memory.dmp UPX behavioral1/files/0x0009000000015c6d-56.dat UPX behavioral1/memory/3036-57-0x0000000000400000-0x0000000000435000-memory.dmp UPX behavioral1/memory/2524-58-0x0000000000400000-0x0000000000435000-memory.dmp UPX -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 3036 explorer.exe 2624 spoolsv.exe 2524 svchost.exe 1476 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2084 19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe 2084 19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe 3036 explorer.exe 3036 explorer.exe 2624 spoolsv.exe 2624 spoolsv.exe 2524 svchost.exe 2524 svchost.exe -
resource yara_rule behavioral1/memory/2084-1-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/files/0x00360000000144e9-6.dat upx behavioral1/memory/2084-8-0x00000000004D0000-0x0000000000505000-memory.dmp upx behavioral1/files/0x000800000001470b-20.dat upx behavioral1/files/0x0008000000014983-34.dat upx behavioral1/memory/1476-51-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2624-54-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2084-55-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/files/0x0009000000015c6d-56.dat upx behavioral1/memory/3036-57-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2524-58-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2084 19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe 3036 explorer.exe 3036 explorer.exe 3036 explorer.exe 2524 svchost.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe 3036 explorer.exe 2524 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3036 explorer.exe 2524 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2084 19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe 2084 19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe 3036 explorer.exe 3036 explorer.exe 2624 spoolsv.exe 2624 spoolsv.exe 2524 svchost.exe 2524 svchost.exe 1476 spoolsv.exe 1476 spoolsv.exe 3036 explorer.exe 3036 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2084 wrote to memory of 3036 2084 19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe 28 PID 2084 wrote to memory of 3036 2084 19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe 28 PID 2084 wrote to memory of 3036 2084 19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe 28 PID 2084 wrote to memory of 3036 2084 19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe 28 PID 3036 wrote to memory of 2624 3036 explorer.exe 29 PID 3036 wrote to memory of 2624 3036 explorer.exe 29 PID 3036 wrote to memory of 2624 3036 explorer.exe 29 PID 3036 wrote to memory of 2624 3036 explorer.exe 29 PID 2624 wrote to memory of 2524 2624 spoolsv.exe 30 PID 2624 wrote to memory of 2524 2624 spoolsv.exe 30 PID 2624 wrote to memory of 2524 2624 spoolsv.exe 30 PID 2624 wrote to memory of 2524 2624 spoolsv.exe 30 PID 2524 wrote to memory of 1476 2524 svchost.exe 31 PID 2524 wrote to memory of 1476 2524 svchost.exe 31 PID 2524 wrote to memory of 1476 2524 svchost.exe 31 PID 2524 wrote to memory of 1476 2524 svchost.exe 31 PID 2524 wrote to memory of 2480 2524 svchost.exe 32 PID 2524 wrote to memory of 2480 2524 svchost.exe 32 PID 2524 wrote to memory of 2480 2524 svchost.exe 32 PID 2524 wrote to memory of 2480 2524 svchost.exe 32 PID 2524 wrote to memory of 2660 2524 svchost.exe 36 PID 2524 wrote to memory of 2660 2524 svchost.exe 36 PID 2524 wrote to memory of 2660 2524 svchost.exe 36 PID 2524 wrote to memory of 2660 2524 svchost.exe 36 PID 2524 wrote to memory of 2252 2524 svchost.exe 38 PID 2524 wrote to memory of 2252 2524 svchost.exe 38 PID 2524 wrote to memory of 2252 2524 svchost.exe 38 PID 2524 wrote to memory of 2252 2524 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe"C:\Users\Admin\AppData\Local\Temp\19f81c528168b498f04583aa45ff349bd0b6b9f6a5dd1bc8a6a47c07a3d1f6a9.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1476
-
-
C:\Windows\SysWOW64\at.exeat 19:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2480
-
-
C:\Windows\SysWOW64\at.exeat 19:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2660
-
-
C:\Windows\SysWOW64\at.exeat 19:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2252
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD5bebc56a54d87cf1973fbb943c99c718e
SHA13dc2132249821aef6f2c0683d2f0726144884e25
SHA2561814c4c5c79629d96a1a886ac3f90467546cf88a275846aca5832aef03de55ff
SHA5127a67364ed50fbd89caf5b1ff5e7018d0ab8bff25d9df7fa5d23ae1940d1971b09095e52549a70a4fcb2e35939015e9e6e82b68dcaa01f17d53bf5ea78c222c7e
-
Filesize
225KB
MD58253e60391293752640f3e6109c1f78c
SHA1de39ab8a7b8a57f4b724be622ab1a9391898a378
SHA256a001371e147b14aaddc0b0fd2d0090e60e32bb6eb4a74c8be409c26715271a32
SHA51206cf1c21b2c188afa3771d3e38393090e7806928d7d645aaab423b05121d0eae8d0c01d5804983970c36db5c279435344ca2ae4349bb34b575ca4f8e602b80bb
-
Filesize
225KB
MD5879b3f3fad15f298373b28d61dbb9fff
SHA186dc1087a76f594f2bff1d4feef2ea6e96dc23b1
SHA256a5c24c05b6380ae4016db60ea270dadfc29733300a5106fb69442f180d340b08
SHA5121815ebee8ba503cc86267e06272a7ebb7703fe29dc1456ecda093ec5bb3b9651390d34f789401287e982821cfdb655e0d23d68ee4bba443db46c1eb3045bdc55
-
Filesize
225KB
MD5f5073f3e34577bebb48ca203202ce471
SHA1afb2d3f72d35a7c59836704589923f350b354f9d
SHA256102118aeb9be9ea67979cde81733d168e4eadfcd581785824dff80ea75689341
SHA512a09847872376a2b51feb5f484afccd1bdd78aac8a5bd857d5da6585508e290e33eb406ecd6de7c5e708cb8bbf8f264454e47614e2fa0b0d9f643285d7f247e58