Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe
Resource
win10v2004-20240508-en
General
-
Target
b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe
-
Size
79KB
-
MD5
2874966864fc9bea32cc457135b8ab8a
-
SHA1
7e188555a5b26d09813bde4c5b400fd364079099
-
SHA256
b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1
-
SHA512
89163ff1c3a2b0e86f60a0445723b98d25828c550d33052d92a006da9710b066e9b0887594457b6b062bfa6247658b6981b3b830c736b4ce7916c61faa2686ab
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWO3Bxr7n:GhfxHNIreQm+HikBxr7n
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2924 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\¢«.exe b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe File created C:\Windows\SysWOW64\notepad¢¬.exe b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe File opened for modification C:\Windows\SysWOW64\¢«.exe b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system\rundll32.exe b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe File opened for modification C:\Windows\system\rundll32.exe b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717453775" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717453775" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2924 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 2924 rundll32.exe 2924 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2924 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 28 PID 3064 wrote to memory of 2924 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 28 PID 3064 wrote to memory of 2924 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 28 PID 3064 wrote to memory of 2924 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 28 PID 3064 wrote to memory of 2924 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 28 PID 3064 wrote to memory of 2924 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 28 PID 3064 wrote to memory of 2924 3064 b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe"C:\Users\Admin\AppData\Local\Temp\b912a788fd451bf4ddd1834e37e08ef81d3549b948ed0888e16a1e3faee984f1.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD508a2ea182db55e78e37d68780163faa9
SHA175aee4cba63d73aef2ce233881a83c2b0fa08026
SHA2561ec156a41a934672a07bbebc72b2a34900b509f8a915da1aaea726792f0293e7
SHA5122dc3df90b5fc7a5142a79c699f10038890fec291ddcd330533f313ea1dacdb931392503c6696beb87d992b97b0d2c2fe6843695acb908bf4f563c40f3cade49a
-
Filesize
78KB
MD5837ff4137c0bac5dc6660c0f3e7d612b
SHA1464b6ebb87b11ce6846c1d396986feaa3e34a636
SHA256c9469617404df071dea75cadf4eb4111c3028e86ab8c2d7e7a95131639ff993f
SHA5128e07bfdbf439859c7fcd124919859de56604585846fc3837e8a4294ca2ff0acc8065c911f7bc236fdb65e78ae65a5d242fb509b9005bf77a8cd13b3de0859fb7