Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 09:29
Static task
static1
Behavioral task
behavioral1
Sample
c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe
Resource
win10v2004-20240426-en
General
-
Target
c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe
-
Size
65KB
-
MD5
aa531d6157cc02a3909d85d3f38a12c8
-
SHA1
08cb365b3c3143eaae2236841f6f2aa0d33e8565
-
SHA256
c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083
-
SHA512
64b0b10c7ab71e0084614d9967b2e80bbd45a8794adb2ad13f0449c12d0ef73c49e17f68408d035f9b773f690a3b1ba48290d642a32c9bf0b4391e218ee3fc28
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Oun:7WNqkOJWmo1HpM0MkTUmun
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 3052 explorer.exe 2588 spoolsv.exe 2864 svchost.exe 2572 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2916 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 2916 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 3052 explorer.exe 3052 explorer.exe 2588 spoolsv.exe 2588 spoolsv.exe 2864 svchost.exe 2864 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2916 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 3052 explorer.exe 3052 explorer.exe 3052 explorer.exe 2864 svchost.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe 3052 explorer.exe 2864 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3052 explorer.exe 2864 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2916 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 2916 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 3052 explorer.exe 3052 explorer.exe 2588 spoolsv.exe 2588 spoolsv.exe 2864 svchost.exe 2864 svchost.exe 2572 spoolsv.exe 2572 spoolsv.exe 3052 explorer.exe 3052 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2916 wrote to memory of 3052 2916 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 28 PID 2916 wrote to memory of 3052 2916 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 28 PID 2916 wrote to memory of 3052 2916 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 28 PID 2916 wrote to memory of 3052 2916 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 28 PID 3052 wrote to memory of 2588 3052 explorer.exe 29 PID 3052 wrote to memory of 2588 3052 explorer.exe 29 PID 3052 wrote to memory of 2588 3052 explorer.exe 29 PID 3052 wrote to memory of 2588 3052 explorer.exe 29 PID 2588 wrote to memory of 2864 2588 spoolsv.exe 30 PID 2588 wrote to memory of 2864 2588 spoolsv.exe 30 PID 2588 wrote to memory of 2864 2588 spoolsv.exe 30 PID 2588 wrote to memory of 2864 2588 spoolsv.exe 30 PID 2864 wrote to memory of 2572 2864 svchost.exe 31 PID 2864 wrote to memory of 2572 2864 svchost.exe 31 PID 2864 wrote to memory of 2572 2864 svchost.exe 31 PID 2864 wrote to memory of 2572 2864 svchost.exe 31 PID 2864 wrote to memory of 2944 2864 svchost.exe 32 PID 2864 wrote to memory of 2944 2864 svchost.exe 32 PID 2864 wrote to memory of 2944 2864 svchost.exe 32 PID 2864 wrote to memory of 2944 2864 svchost.exe 32 PID 2864 wrote to memory of 1716 2864 svchost.exe 36 PID 2864 wrote to memory of 1716 2864 svchost.exe 36 PID 2864 wrote to memory of 1716 2864 svchost.exe 36 PID 2864 wrote to memory of 1716 2864 svchost.exe 36 PID 2864 wrote to memory of 384 2864 svchost.exe 38 PID 2864 wrote to memory of 384 2864 svchost.exe 38 PID 2864 wrote to memory of 384 2864 svchost.exe 38 PID 2864 wrote to memory of 384 2864 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe"C:\Users\Admin\AppData\Local\Temp\c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2572
-
-
C:\Windows\SysWOW64\at.exeat 09:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2944
-
-
C:\Windows\SysWOW64\at.exeat 09:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1716
-
-
C:\Windows\SysWOW64\at.exeat 09:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:384
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD52d9f9f97c71127e1625aae37e3c010eb
SHA1a3aeb87d95eeeab332deaa71803d385f175e2b7a
SHA25674a7c3fd88bdc8bf94c1f35139e312b836ce556e01569e2407e2c073a0639c14
SHA512320b2b4306b4ea7eb50423c597a2d6319ae356cec4bbb86afdad2ca760179c58afd7b80685b752ff763ed487655da4a676b5ca889f6f1d0a524532e248f1d5f1
-
Filesize
65KB
MD574845602994a7c090afa50ff5a5bce15
SHA13293ed9ca5414c7b61a7307fe75618c1773e5e62
SHA25613a981e4e3d382ea008a6d96a2587fbcbd41617e8385774e2fad845abe46a2e8
SHA512eadb909b837c62e193f3ebefcdbcd049126c683a81718ca83bb064b00024ccbb8b32b61604f5cd23346679e4f589714e285f053d27cdabe96cfcf4de6108592c
-
Filesize
65KB
MD5223e7694f0beb3d5e028ed70e9df2e9b
SHA162805f3059ca6bd3ea322dbb95c5e798aaa698ef
SHA256004879728c2bc106cab522fa2cf167b9501cf34bd2247188bb47e96752be37b5
SHA512cba06b602cdedc6acf3912ac7852a04cd96ccde7c52a390fc0eaa4e6fcd7b8bf48dcc4f3d4d22ac5e604a4362535721b5e0ad5ebef7035842377068dc0a9b33a
-
Filesize
65KB
MD50189a3a08273878a4611809b6bd1e5b2
SHA1f6b7b4cf019e2914c2f44f5d9a6dc47935e8c633
SHA256a2eeb79a08484722c9231df216559694ec874f661d87ebac182c931b75f4cf6d
SHA5129954b293f1dd9bf72baddbe16c8359fb8e46c2dc6fe8aaaafbb7b92a099e0e689fe370686a5a3090f82e6505ad5ab8b5da1c9c4838d7862c9a05cf181cf52a5a