Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 04:55
Behavioral task
behavioral1
Sample
d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
Resource
win10v2004-20240508-en
General
-
Target
d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe
-
Size
888KB
-
MD5
549280b03746fe46670a1dc30a3ab699
-
SHA1
cad67c6841544445e6ab2b0b28dee9810bb2a4ac
-
SHA256
d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513
-
SHA512
fd0546210bfd2b327aa79f433e82247806fa5157906db48316f590e7dd2a7d543540d794467ea187e8f109d978a1428491dc50bdf2d05f1b7c0a91b31ca34bf6
-
SSDEEP
24576:TkU0mTUajtBfRPJk2NzEdh2QljOBOoDHFGrTCiBZB:gmpjRBtZm2UC1lGrv
Malware Config
Signatures
-
Detects executables packed with VMProtect. 6 IoCs
resource yara_rule behavioral1/memory/2964-0-0x0000000000400000-0x00000000006BD000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2964-2-0x0000000000400000-0x00000000006BD000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/files/0x000a000000015f7a-5.dat INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2996-14-0x0000000000400000-0x00000000006BD000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2964-20-0x0000000000400000-0x00000000006BD000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2996-34-0x0000000000400000-0x00000000006BD000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Executes dropped EXE 2 IoCs
pid Process 2996 svchost.exe 2172 svchost.exe -
Loads dropped DLL 4 IoCs
pid Process 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2996 svchost.exe 2996 svchost.exe -
resource yara_rule behavioral1/memory/2964-0-0x0000000000400000-0x00000000006BD000-memory.dmp vmprotect behavioral1/memory/2964-2-0x0000000000400000-0x00000000006BD000-memory.dmp vmprotect behavioral1/files/0x000a000000015f7a-5.dat vmprotect behavioral1/memory/2996-14-0x0000000000400000-0x00000000006BD000-memory.dmp vmprotect behavioral1/memory/2964-20-0x0000000000400000-0x00000000006BD000-memory.dmp vmprotect behavioral1/memory/2996-34-0x0000000000400000-0x00000000006BD000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main svchost.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2996 svchost.exe 2996 svchost.exe 2996 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe 2172 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe Token: SeDebugPrivilege 2996 svchost.exe Token: SeDebugPrivilege 2172 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2996 svchost.exe 1764 DllHost.exe 1764 DllHost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 2996 svchost.exe 2996 svchost.exe 2996 svchost.exe 2996 svchost.exe 2172 svchost.exe 2172 svchost.exe 2996 svchost.exe 2996 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2996 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 28 PID 2964 wrote to memory of 2996 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 28 PID 2964 wrote to memory of 2996 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 28 PID 2964 wrote to memory of 2996 2964 d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe 28 PID 2996 wrote to memory of 2172 2996 svchost.exe 31 PID 2996 wrote to memory of 2172 2996 svchost.exe 31 PID 2996 wrote to memory of 2172 2996 svchost.exe 31 PID 2996 wrote to memory of 2172 2996 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe"C:\Users\Admin\AppData\Local\Temp\d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\data\svchost.exe"C:\data\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2172
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
29KB
MD5d626e7d19ac19339b2522c3ee500f82c
SHA1d6ce546819d97cb27c344835ed78370236ee46f1
SHA256787599a00d40cc58f29f3bff553a6750c9aba756250fe5710464fb717352bacf
SHA51255fae601063e517c5a272556a968e1b835ae3e243241c16fd3fa70268e9a9c697641d80bda0560475f2d6e455475d6e8defdc06d3f4b26151271809f4e92fe7f
-
Filesize
49KB
MD581a1e5baff44012bc98c3cabd2fd38e7
SHA1151b386ab287e34e0b1eae328eb8e8ced13b2783
SHA256f03127e9305daebf6bfa58e5b81332c332a681f29b26036b326bc314b2f53ff2
SHA5121ff56afc51a05cf5d0bfb17823e72247f585afcf4f9ac51dea11f9cfa6455e3f36e92bc7786cdc3c740270b6a3c4314c1ee6088fc86377e03fef9228b5ea361d
-
Filesize
888KB
MD5549280b03746fe46670a1dc30a3ab699
SHA1cad67c6841544445e6ab2b0b28dee9810bb2a4ac
SHA256d8cbac419dac0477d663618f9c833d669344cdf30deea3cbff9a17afca925513
SHA512fd0546210bfd2b327aa79f433e82247806fa5157906db48316f590e7dd2a7d543540d794467ea187e8f109d978a1428491dc50bdf2d05f1b7c0a91b31ca34bf6
-
Filesize
592KB
MD5c42b775ea210a4f960790c96b6efd226
SHA18503f263a4c9493242ece9e53c6a0df4430188cd
SHA256f56b1a316f19573b5a9eab6a884e6f274f58c5c9c93022e19e9b53c4126ea2d3
SHA512f83874d170dc5d8931db65a84ad21d70807ff4d3fac5c6001a8bd99167f99f5603f3421235430181648c250d29941b7e28c15c7c0b5570c5089f7c268193bf5f