Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/06/2024, 04:55
Behavioral task
behavioral1
Sample
injector_3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
injector_3.exe
Resource
win10v2004-20240226-en
General
-
Target
injector_3.exe
-
Size
2.9MB
-
MD5
46cae523a713b42a2725e391c380ff15
-
SHA1
fb92db28887b5cdbfdcf5e2200e2a0c61052e03f
-
SHA256
ddb0cb4678fd74a89202b5a6957b2a175c7b84332014dc524ff3f5e87a0185ae
-
SHA512
54863687fe0c451f46cf97f095c71022da20abe4ddd8afef2c1b60d632099e8c9fc4d6e7b535844864c02a0a7b1c68a6a5639e376ee68cebc3a1693ca7df02fc
-
SSDEEP
49152:axmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxWn+O93+xN:axx9NUFkQx753uWuCyyxWnruL
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ injector_3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NalDrv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\NalDrv.sys" 9xskv.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion injector_3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion injector_3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Executes dropped EXE 7 IoCs
pid Process 2456 injector_3.exe 2472 icsys.icn.exe 2516 explorer.exe 2488 spoolsv.exe 2536 svchost.exe 2396 spoolsv.exe 2988 9xskv.exe -
Loads dropped DLL 8 IoCs
pid Process 1904 injector_3.exe 2868 Process not Found 1904 injector_3.exe 2472 icsys.icn.exe 2516 explorer.exe 2488 spoolsv.exe 2536 svchost.exe 2456 injector_3.exe -
resource yara_rule behavioral1/memory/1904-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0034000000014701-14.dat themida behavioral1/memory/2472-16-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0008000000014c25-26.dat themida behavioral1/memory/2516-28-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0008000000015023-35.dat themida behavioral1/memory/2488-40-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0008000000015cb9-50.dat themida behavioral1/memory/2536-52-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2396-62-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2396-72-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2488-73-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2472-76-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1904-75-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2516-81-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2536-82-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2536-89-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2516-92-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2516-98-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2516-104-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA injector_3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1904 injector_3.exe 2472 icsys.icn.exe 2516 explorer.exe 2488 spoolsv.exe 2536 svchost.exe 2396 spoolsv.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe injector_3.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File created C:\Windows\SoftwareDistribution\Download\9xskv.sys injector_3.exe File created C:\Windows\SoftwareDistribution\Download\9xskv.exe injector_3.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 888 schtasks.exe 2460 schtasks.exe 2344 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 1904 injector_3.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2516 explorer.exe 2536 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2988 9xskv.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSystemEnvironmentPrivilege 2988 9xskv.exe Token: SeDebugPrivilege 2988 9xskv.exe Token: SeLoadDriverPrivilege 2988 9xskv.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1904 injector_3.exe 1904 injector_3.exe 2472 icsys.icn.exe 2472 icsys.icn.exe 2516 explorer.exe 2516 explorer.exe 2488 spoolsv.exe 2488 spoolsv.exe 2536 svchost.exe 2536 svchost.exe 2396 spoolsv.exe 2396 spoolsv.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2456 1904 injector_3.exe 28 PID 1904 wrote to memory of 2456 1904 injector_3.exe 28 PID 1904 wrote to memory of 2456 1904 injector_3.exe 28 PID 1904 wrote to memory of 2456 1904 injector_3.exe 28 PID 1904 wrote to memory of 2472 1904 injector_3.exe 30 PID 1904 wrote to memory of 2472 1904 injector_3.exe 30 PID 1904 wrote to memory of 2472 1904 injector_3.exe 30 PID 1904 wrote to memory of 2472 1904 injector_3.exe 30 PID 2472 wrote to memory of 2516 2472 icsys.icn.exe 31 PID 2472 wrote to memory of 2516 2472 icsys.icn.exe 31 PID 2472 wrote to memory of 2516 2472 icsys.icn.exe 31 PID 2472 wrote to memory of 2516 2472 icsys.icn.exe 31 PID 2516 wrote to memory of 2488 2516 explorer.exe 32 PID 2516 wrote to memory of 2488 2516 explorer.exe 32 PID 2516 wrote to memory of 2488 2516 explorer.exe 32 PID 2516 wrote to memory of 2488 2516 explorer.exe 32 PID 2488 wrote to memory of 2536 2488 spoolsv.exe 33 PID 2488 wrote to memory of 2536 2488 spoolsv.exe 33 PID 2488 wrote to memory of 2536 2488 spoolsv.exe 33 PID 2488 wrote to memory of 2536 2488 spoolsv.exe 33 PID 2536 wrote to memory of 2396 2536 svchost.exe 34 PID 2536 wrote to memory of 2396 2536 svchost.exe 34 PID 2536 wrote to memory of 2396 2536 svchost.exe 34 PID 2536 wrote to memory of 2396 2536 svchost.exe 34 PID 2456 wrote to memory of 2988 2456 injector_3.exe 35 PID 2456 wrote to memory of 2988 2456 injector_3.exe 35 PID 2456 wrote to memory of 2988 2456 injector_3.exe 35 PID 2516 wrote to memory of 2340 2516 explorer.exe 37 PID 2516 wrote to memory of 2340 2516 explorer.exe 37 PID 2516 wrote to memory of 2340 2516 explorer.exe 37 PID 2516 wrote to memory of 2340 2516 explorer.exe 37 PID 2536 wrote to memory of 888 2536 svchost.exe 38 PID 2536 wrote to memory of 888 2536 svchost.exe 38 PID 2536 wrote to memory of 888 2536 svchost.exe 38 PID 2536 wrote to memory of 888 2536 svchost.exe 38 PID 2536 wrote to memory of 2460 2536 svchost.exe 43 PID 2536 wrote to memory of 2460 2536 svchost.exe 43 PID 2536 wrote to memory of 2460 2536 svchost.exe 43 PID 2536 wrote to memory of 2460 2536 svchost.exe 43 PID 2536 wrote to memory of 2344 2536 svchost.exe 45 PID 2536 wrote to memory of 2344 2536 svchost.exe 45 PID 2536 wrote to memory of 2344 2536 svchost.exe 45 PID 2536 wrote to memory of 2344 2536 svchost.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\injector_3.exe"C:\Users\Admin\AppData\Local\Temp\injector_3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\users\admin\appdata\local\temp\injector_3.exec:\users\admin\appdata\local\temp\injector_3.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SoftwareDistribution\Download\9xskv.exe"C:\Windows\SoftwareDistribution\Download\9xskv.exe" -map C:\Windows\SoftwareDistribution\Download\9xskv.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2396
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:58 /f6⤵
- Creates scheduled task(s)
PID:888
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:59 /f6⤵
- Creates scheduled task(s)
PID:2460
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:00 /f6⤵
- Creates scheduled task(s)
PID:2344
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2340
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5fab9af2dc32572d0f51c995b3b43a6af
SHA15e838e03052e9f32cc1f35af7109b17a290e0f66
SHA25638fde2059272de13d19f9ad2e179172a08f7ce73ed52ec1451e37eb41d9b252a
SHA512ca9e23b2d27644100cd2d376a890729f80dd6c7cfc714217cb81cb025283c5111ddec4b5f7592a3db46d321bfbdb531fb7db226087ff208fa464875e389c15ac
-
Filesize
2.5MB
MD55685ed42d05d9ff1021eb30e050e932c
SHA12ab75b8adf05d52fac34ce0aeabfad1f5ba878dc
SHA256670d920feb221e0d623e834b8de2f024884066f321dbe51496bd747d3ca39264
SHA51251b4f5dc0f61e74760b82fff01079d6dbde598ec30bd57705aaf8123f2c0780387ae7951723220f8d8c114442446593afd0fa7de2de8530f4da1512495cb35e3
-
Filesize
2.5MB
MD59514b5b955f2cd19cd6a3b29129679e3
SHA104a0a2aa0222f868e1c34c193a6cd85d544e5f09
SHA2562af3851633c44e953c049f21ccbe5e48f1a8610fa79d03e84fd0322b3d7c4889
SHA5120d9153a5aec9a7031b9cb0601845fb2efd4ea3d9409099a87fd1f835097f74423f6b4b5d0060f3b708c2b365d1db318c40687e8cbd5fa966f7443b6bbfaee691
-
Filesize
260KB
MD5083c6c05ac5875d0b6e997e894ca07bc
SHA169d0116998e8a70db5852fccb86d45975ce88a9a
SHA25603aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca
SHA512fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf
-
Filesize
309KB
MD514de2eca1cb8ec2454d48a37784c3df1
SHA143877e3c6cf8faf6095e984bc825972d378f1140
SHA256bc026101c9a6975a8adb9aebd374a57a3f7cafc0e6f21e6bd4b52e60fb0fdd14
SHA512b4ee51aa0b89bd461e45ff5fce47dadaa13b81aa8d01514800920b065fa9e7dc08801feae5bfe69b0e2663817a0cda97e087bb49861403e8d4aeee0997530fe7
-
Filesize
2.5MB
MD59db7496daa141463fceb77cc1b77dca4
SHA1d2fe42a5ac17306b2a49ae98160c6cf3c73fa466
SHA256ff4ea460671352ec555997a66a87c95425081ce269fc1186ee392ac743a1e77a
SHA512ebfb7812813753168d8c07acf07af06754b336a5941464ccb8c06f839dbe84571ae34c60b2cbc7d5d71d5d112e59800b96aa3f91946bc85f6f2766df318933fc