Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:05
Static task
static1
Behavioral task
behavioral1
Sample
e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll
Resource
win10v2004-20240508-en
General
-
Target
e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll
-
Size
524KB
-
MD5
a8afce658328a86009031a7cafc625bb
-
SHA1
8443583d9b66f5d2db692030f6a687841cfb1d2c
-
SHA256
e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce
-
SHA512
c34fb48a249ddb68d6ab285125ea1e3a2a0130b3d1e8ab5bfc9942e6edaf3ece411aa5221a5af6a3c673cfe224c61ff1681e5cabe45988f334b7ee8c27e40621
-
SSDEEP
6144:mi05kH9OyU2uv5SRf/FWgFgt2gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTL:ZrHGPv5Smpt7DmUWuVZkxikdXcq
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1224 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "\"C:\\Users\\Admin\\AppData\\Roaming\\usve2sZ\\StikyNot.exe\"" Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\2073\BdeUISrv.exe cmd.exe File opened for modification C:\Windows\system32\2073\BdeUISrv.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2748 schtasks.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command Process not Found Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile Process not Found Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile Process not Found Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell Process not Found Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\G5SUW.cmd" Process not Found Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command Process not Found Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2224 rundll32.exe 2224 rundll32.exe 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2716 1224 Process not Found 28 PID 1224 wrote to memory of 2716 1224 Process not Found 28 PID 1224 wrote to memory of 2716 1224 Process not Found 28 PID 1224 wrote to memory of 2664 1224 Process not Found 29 PID 1224 wrote to memory of 2664 1224 Process not Found 29 PID 1224 wrote to memory of 2664 1224 Process not Found 29 PID 1224 wrote to memory of 2948 1224 Process not Found 30 PID 1224 wrote to memory of 2948 1224 Process not Found 30 PID 1224 wrote to memory of 2948 1224 Process not Found 30 PID 1224 wrote to memory of 2468 1224 Process not Found 32 PID 1224 wrote to memory of 2468 1224 Process not Found 32 PID 1224 wrote to memory of 2468 1224 Process not Found 32 PID 2468 wrote to memory of 2952 2468 cmd.exe 34 PID 2468 wrote to memory of 2952 2468 cmd.exe 34 PID 2468 wrote to memory of 2952 2468 cmd.exe 34 PID 1224 wrote to memory of 2484 1224 Process not Found 35 PID 1224 wrote to memory of 2484 1224 Process not Found 35 PID 1224 wrote to memory of 2484 1224 Process not Found 35 PID 1224 wrote to memory of 2120 1224 Process not Found 36 PID 1224 wrote to memory of 2120 1224 Process not Found 36 PID 1224 wrote to memory of 2120 1224 Process not Found 36 PID 1224 wrote to memory of 2596 1224 Process not Found 37 PID 1224 wrote to memory of 2596 1224 Process not Found 37 PID 1224 wrote to memory of 2596 1224 Process not Found 37 PID 1224 wrote to memory of 2688 1224 Process not Found 39 PID 1224 wrote to memory of 2688 1224 Process not Found 39 PID 1224 wrote to memory of 2688 1224 Process not Found 39 PID 2688 wrote to memory of 2696 2688 eventvwr.exe 40 PID 2688 wrote to memory of 2696 2688 eventvwr.exe 40 PID 2688 wrote to memory of 2696 2688 eventvwr.exe 40 PID 2696 wrote to memory of 2748 2696 cmd.exe 42 PID 2696 wrote to memory of 2748 2696 cmd.exe 42 PID 2696 wrote to memory of 2748 2696 cmd.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2224
-
C:\Windows\system32\LogonUI.exeC:\Windows\system32\LogonUI.exe1⤵PID:2716
-
C:\Windows\system32\StikyNot.exeC:\Windows\system32\StikyNot.exe1⤵PID:2664
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\RC8.cmd1⤵PID:2948
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"1⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"2⤵PID:2952
-
-
C:\Windows\system32\sdchange.exeC:\Windows\system32\sdchange.exe1⤵PID:2484
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵PID:2120
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\W6VlA.cmd1⤵
- Drops file in System32 directory
PID:2596
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\G5SUW.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Kzcfjezwvyzrv" /SC minute /MO 60 /TR "C:\Windows\system32\2073\BdeUISrv.exe" /RL highest3⤵
- Creates scheduled task(s)
PID:2748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132B
MD5bb3148182c7237b0f0bbd186ea78fab9
SHA12774e9b54d60f4934a750722e875aa2149e45c7c
SHA2562ac8cef263ca229c029894e027fa1d2d7ba4c51dd5012890483f4be3be31a796
SHA51203c9caeb65c35bf2dcf086b7a71be744eb6c09f9dd43b27418de62eb8f237b0dfa0204ded934a27d188ddf7cef141d578c254fdde41a1ed9408fcc0433aef283
-
Filesize
234B
MD54be5f38252f91de9bb27a470159930d7
SHA1014666fc72328efeee6078ac40a074b89b09e0e5
SHA256afeff5488c66fa5ff7697f7b00229e02bd98aa35c08ca3c55c276344961dfce9
SHA51296df2ebb722aacbd3cb675ab7a29d34625b2ebc8b3669b93d60e072058fc8f9bc2e9d63fbd64404dec55d8050a0f2a5e7f4ad6cc01884c26e341a0a2917e8af5
-
Filesize
196B
MD585f8df5de710b5ce098bf386926ff594
SHA1a0203e6480c9d66396cd8228804b66e4cbe260ab
SHA2566ed6bfdbfbd105c21f8ddbf8de2b50f94785e634b55d8be7136f3ffea17d141b
SHA512aa913d09683e1c5bb7bb53fbab74fc2f483e15bcb81de534b0f116ec6487b53764034e90220fdf12d5cb461eb4d10ef7743055c7350d41e7062c7dad965036db
-
Filesize
528KB
MD51e7a71b520031d49587eaef20b7353d0
SHA1e86b305cef93ad980beb5ca3f12ea01b62220284
SHA256e4e37d75838769df23777167adc785709f8c35e874d8b06fb0b47efdc787ec0e
SHA5121d624249ad72ccf04c163456099b4158a900248cf966cd713d685e0c3fe43ea7da864fdc7f4f3dd3f78840dafac52a53e408d515510b2fbab85c779e3d660f37
-
Filesize
528KB
MD5decfafbb276f47b9b1ea8ccae6ff43a8
SHA1091747ddd6b00f06e3a815638b319972406f8154
SHA256d12de875acfddbf80ee07e71fbf42fb3003ff437cea09d7a3998323290431016
SHA512ab25f3f95be30e718ebd312c866b47bbec18eff0fc78a9693397afb999269209c863e7f8f1c7ef8500fcc5df0ebc2792051811e33214695c3dd9f31ba8169758
-
Filesize
894B
MD53730745838ccd1c5ad3eca8d44273a05
SHA191a33fc7aa1329ba37bc0d5c58c76c636df588a7
SHA25633cace0c94d7db518eb56d3b5dcff61048998affcf3068a87bd1e9912483555d
SHA512913461c52502872e0553566fac13a70869286aec593abb738589b82c117f6c7e018bc129e4a81a222e6db48d27532875e44c7d572cdd7d615613b7cec8477111
-
Filesize
417KB
MD5b22cb67919ebad88b0e8bb9cda446010
SHA1423a794d26d96d9f812d76d75fa89bffdc07d468
SHA2562f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128
SHA512f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5