Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
10/06/2024, 14:51
General
-
Target
933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe
-
Size
66KB
-
MD5
766daa59bb63db8c6743ea35e10ee3bf
-
SHA1
73e4b640c09ea9a74604422b6524f9cada87465d
-
SHA256
933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071
-
SHA512
86952fe8682bec94f5db178c4a5ebf294ac14ae4da28f54b7fcb4b73bbd4d159a7943237776fa616b0da4d5cee9647e1f6f4ab847f0112f029e9ecdcb32cb659
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXis:IeklMMYJhqezw/pXzH9is
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe"C:\Users\Admin\AppData\Local\Temp\933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 14:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 14:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 14:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD547568b7da935ff63c835102e4ef5ca06
SHA1b972e1f2e61ee08ca33d475b54c00a572b4bf7bd
SHA2566e56e256f61a99553fb98af17d13c2f9566a0795bde803ac3595efd0ea8ee628
SHA5126b8092832435737d0f3a83ef011806d40e4ec4d14dda75646438de994fea496fcf9ffae1caec37484fad4845ec6b00729063e3bb5045e48ad87af7592d82491b
-
Filesize
66KB
MD54b98ae4c246be900490850e70072dac1
SHA10de5251c324ffdfe680ffcf22332a957cec09a19
SHA256ab97b41eacb0c56a6f4f7ef8dc3f5ae9586ffde463f8aa9c1ac915bf812e08a9
SHA5127e7fb33e0f19403b2969645c7995437ac2716eab6644b651ee9bf63f48517516a7cba2e967e8ecdedee9354097e06d6a9513c19a77227b8cd9c74c2c92ad1fd0
-
Filesize
66KB
MD532a5603b9a7a98a6d199167cf4702f1e
SHA1951ad98fbc181ced8df7c691db7430e376eac44d
SHA256eff572585568c08f77996c546843cdbc5263a16c0859812d1a34589f8bcbf06d
SHA51241ba25449a9de161a9ab49e392a06afa4bc13197ef54a9cc95599dcb4296e9d34d7bc02e73548eb12c899d1cd05f9b5a460bdc2e6230b0338cca51894c6f3682
-
Filesize
66KB
MD5ab811bf7d8f35442921e8788af99a08e
SHA1059756a1ac95d097dab437346e7f88c49ce944f2
SHA2568811e9bc4971fd9d440dd12d1a13b84a37c68e44245fa05eff6b267e18a854c7
SHA5127d56738dda2aaa2b6ece6341d916fe0f7d57c4a997df771942cc8616db82b89213ec4ecd258a4feef52d05f8a10afb8b63e24be1fca381a2c9065809b1c82b29
-
Filesize
180KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB