Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 14:33
Static task
static1
Behavioral task
behavioral1
Sample
8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe
Resource
win10v2004-20240508-en
General
-
Target
8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe
-
Size
65KB
-
MD5
b737cc24c87f8c3668fa7790e294a298
-
SHA1
c2602aad84e8de707bab357d7eef482bb5df66db
-
SHA256
8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0
-
SHA512
72c2f03013759a09dd37446d7cc185eefa70719cad213471e37e2feb86f2a43eaceefc7a58061d778d1c02fa3181cadb445b3d80f9ea5d71137b2976eaf9137d
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuU:7WNqkOJWmo1HpM0MkTUmuU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2228 explorer.exe 2720 spoolsv.exe 2808 svchost.exe 2772 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2028 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 2028 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 2228 explorer.exe 2228 explorer.exe 2720 spoolsv.exe 2720 spoolsv.exe 2808 svchost.exe 2808 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2028 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2228 explorer.exe 2808 svchost.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2808 svchost.exe 2228 explorer.exe 2228 explorer.exe 2808 svchost.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe 2808 svchost.exe 2228 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2228 explorer.exe 2808 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2028 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 2028 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 2228 explorer.exe 2228 explorer.exe 2720 spoolsv.exe 2720 spoolsv.exe 2808 svchost.exe 2808 svchost.exe 2772 spoolsv.exe 2772 spoolsv.exe 2228 explorer.exe 2228 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2228 2028 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 28 PID 2028 wrote to memory of 2228 2028 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 28 PID 2028 wrote to memory of 2228 2028 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 28 PID 2028 wrote to memory of 2228 2028 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 28 PID 2228 wrote to memory of 2720 2228 explorer.exe 29 PID 2228 wrote to memory of 2720 2228 explorer.exe 29 PID 2228 wrote to memory of 2720 2228 explorer.exe 29 PID 2228 wrote to memory of 2720 2228 explorer.exe 29 PID 2720 wrote to memory of 2808 2720 spoolsv.exe 30 PID 2720 wrote to memory of 2808 2720 spoolsv.exe 30 PID 2720 wrote to memory of 2808 2720 spoolsv.exe 30 PID 2720 wrote to memory of 2808 2720 spoolsv.exe 30 PID 2808 wrote to memory of 2772 2808 svchost.exe 31 PID 2808 wrote to memory of 2772 2808 svchost.exe 31 PID 2808 wrote to memory of 2772 2808 svchost.exe 31 PID 2808 wrote to memory of 2772 2808 svchost.exe 31 PID 2808 wrote to memory of 2392 2808 svchost.exe 32 PID 2808 wrote to memory of 2392 2808 svchost.exe 32 PID 2808 wrote to memory of 2392 2808 svchost.exe 32 PID 2808 wrote to memory of 2392 2808 svchost.exe 32 PID 2808 wrote to memory of 1500 2808 svchost.exe 36 PID 2808 wrote to memory of 1500 2808 svchost.exe 36 PID 2808 wrote to memory of 1500 2808 svchost.exe 36 PID 2808 wrote to memory of 1500 2808 svchost.exe 36 PID 2808 wrote to memory of 1760 2808 svchost.exe 38 PID 2808 wrote to memory of 1760 2808 svchost.exe 38 PID 2808 wrote to memory of 1760 2808 svchost.exe 38 PID 2808 wrote to memory of 1760 2808 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe"C:\Users\Admin\AppData\Local\Temp\8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
C:\Windows\SysWOW64\at.exeat 14:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2392
-
-
C:\Windows\SysWOW64\at.exeat 14:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1500
-
-
C:\Windows\SysWOW64\at.exeat 14:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1760
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD56688944cc4d6771d943e23b2c8137cf3
SHA1912b5668882e2c150a88293649a01cf5595356bb
SHA2566b25b800070d28045204cfaa78d30f98e4b9cc865272b164e094d9d6ec3b8676
SHA5120ebf776ab521394961aee65eda0d921621a262286951401e3626e7bec99128c0ec125cecfc7e7fb7ea4f37d32e3b2bfbd06c6ebbb0e7453393ac2bfd4a0b9e2f
-
Filesize
65KB
MD5da6158da4dc9e6cfdf74e99cbe598111
SHA170407a0caf6a6f1e496a863d8e79d5ee2ae9cbab
SHA25612be00aedefef3c75ec9c62168828cf9604d459ad985f3b6e9bebb8941345c84
SHA512f8988c17e2e6f6f10e3a70b2374efe35c1b4d2187b7fed68eca9aeb9532eacb7dd17b25fff6160265b18c8eb79b6aaf0dc1510d3074709c446afa1662c58147f
-
Filesize
65KB
MD5b55b2b835a36756d259978b34b0ad5f4
SHA19b7057f5e83906a391d4fadfa7c427200367789d
SHA256b8538fc4beb3f23081adb5b80be4c29f0fb6cb5994a78c5ef5eb9aca3c8a1584
SHA512e7373f0ab7ba0c4255188eebde063493df382bf9ad7b0062cd52a346654b3547b4710bcd92eb3a39a9a34b6fac1ac4807210109b6cd3a5ad753aba150743e428
-
Filesize
65KB
MD5642ec0455fd9aa637239a89e6d85cef6
SHA1035378b8d7e6582ecfaa52656670787e3c586a10
SHA2560a5912b713e2d83bc9707d42d7f3ea43bbc8897db54d54367dd575fe2d5811a6
SHA512b07ca3b4c13e84faa820d3792628ea162a3df79cf48cc00c07f4a01b3772c973f1bc1b4e4baf9b31d9222981efd19454ca4772182734f84af0035e98411381fc