Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
06/06/2024, 03:11
General
-
Target
947349588e2770905f2dc3d1c3fe1ff4515ca4cab16a34e9fd2a1f5bf9bd3bb8.exe
-
Size
65KB
-
MD5
3288b56ce2e4cd447873a0a54f69feb7
-
SHA1
852e60f47b3ef3b9715ef4a4bb7a5b029ea52865
-
SHA256
947349588e2770905f2dc3d1c3fe1ff4515ca4cab16a34e9fd2a1f5bf9bd3bb8
-
SHA512
4d3b81155818b9a6d45b472c2362ac9d58b3dbb2fff2714117aac6c15ff13cfe5552d98e0e47f59c5c07d78118e5ba946799b7488845b7655897d3af97442b74
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Oum:7WNqkOJWmo1HpM0MkTUmum
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\947349588e2770905f2dc3d1c3fe1ff4515ca4cab16a34e9fd2a1f5bf9bd3bb8.exe"C:\Users\Admin\AppData\Local\Temp\947349588e2770905f2dc3d1c3fe1ff4515ca4cab16a34e9fd2a1f5bf9bd3bb8.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 03:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 03:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 03:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD512814e7461c36938bc36b09e6ab09e0c
SHA1a87f0b16a0785632f7888845d674b29ab6dc5c0e
SHA256e951717ce15c1529946dfe3403f2f3b26fdcb647109fc6664e0efd04e9872681
SHA51228e18a8b471e39e9cd213aaf3cf46492c094159e7337725df910c298b413cb8b3d1b837030808dd7cfe9181c26adefd603fe5f859203fee08243da83133717d7
-
Filesize
65KB
MD528e942b76eb7f9c4c01499b164926aff
SHA1df1f1ace9023fa1e5dc18dc2cfe6a370d5a8d8c2
SHA2564f48cc9ba75afe21bf7c014141c86de0a8b5e6c583ef02b4a7e6a579a71c550c
SHA512d40a4cd915c9885fcd8ead004ab42a2e03ceba14b81ef0beb600cba40dc63fb0f8fad1f76092407455c0f3a81d6429ba66e838f857521892097c30de3e1f7d31
-
Filesize
65KB
MD5ec7164f726d59a00ac42700f55f17cc2
SHA1da3bec09c8c8c35cf208ef28a2bfc285d1bef7bb
SHA256ef5bd1f92288f37b2740264c33f0249af67ddb855a1d591a79ad3882a07fcd65
SHA512eda76db59bedb0b8e1f98e2f697e67ce03d07920dc210aa7bf99e1ba11094ee007111a89f9433cdb69bd9e9b7d559fcd4f426a2c30907fa40100e6613bec0ffc
-
Filesize
65KB
MD54dccc857a7dbb104034b972dbb812c9a
SHA1b69b7ac39896065bc9bc17098adb857a65169057
SHA256a045f62d16c62fd8786fc2e51446788e728e0464dd2ee32decf9df0623934ec3
SHA5127ef3e0c584606a86a3537c3b97df7ab4595bde7d417f5347cf460325919681ab2bdd5f85f754946886348b74d285459706685afd7238cd1663687b7510f88d04
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
16KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
16KB
-
Filesize
196KB