Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe
Resource
win7-20240419-en
General
-
Target
68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe
-
Size
1.6MB
-
MD5
70467670cda5878ec6d1670c4b395318
-
SHA1
d32331447127bdf0656cf23a8587847c4251542a
-
SHA256
68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888
-
SHA512
3a697125924e824223e30b0d04c4d2da1b00196900629f96cb78683cf6a42cd4a73a98df94126710cf139a6ddff472a7129167c91f8d11e891c26191c58414a4
-
SSDEEP
12288:Yq9Kz9XYHoV3/f13l+qefXfgaB2dj1z+Bhb3p18LB/0zHm8o:YUK6IV3/deYaB2djw3pSB0zG3
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe -
Detects executables packed with or use KoiVM 1 IoCs
resource yara_rule behavioral1/memory/2436-3-0x0000000000D20000-0x0000000000DBC000-memory.dmp INDICATOR_EXE_Packed_KoiVM -
Adds policy Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-481678230-3773327859-3495911762-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fontview.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2412 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\TNS4SFN8OB_ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" fontview.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2436 set thread context of 2744 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 32 PID 2744 set thread context of 1192 2744 iexplore.exe 21 PID 2744 set thread context of 2676 2744 iexplore.exe 34 PID 2676 set thread context of 1192 2676 fontview.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2412 powershell.exe 2744 iexplore.exe 2744 iexplore.exe 2744 iexplore.exe 2744 iexplore.exe 2744 iexplore.exe 2744 iexplore.exe 2744 iexplore.exe 2744 iexplore.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe 2676 fontview.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2744 iexplore.exe 1192 Explorer.EXE 1192 Explorer.EXE 2676 fontview.exe 2676 fontview.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe Token: SeDebugPrivilege 2412 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2412 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 28 PID 2436 wrote to memory of 2412 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 28 PID 2436 wrote to memory of 2412 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 28 PID 2436 wrote to memory of 2708 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 30 PID 2436 wrote to memory of 2708 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 30 PID 2436 wrote to memory of 2708 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 30 PID 2436 wrote to memory of 2708 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 30 PID 2436 wrote to memory of 2708 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 30 PID 2436 wrote to memory of 2720 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 31 PID 2436 wrote to memory of 2720 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 31 PID 2436 wrote to memory of 2720 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 31 PID 2436 wrote to memory of 2720 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 31 PID 2436 wrote to memory of 2720 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 31 PID 2436 wrote to memory of 2720 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 31 PID 2436 wrote to memory of 2744 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 32 PID 2436 wrote to memory of 2744 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 32 PID 2436 wrote to memory of 2744 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 32 PID 2436 wrote to memory of 2744 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 32 PID 2436 wrote to memory of 2744 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 32 PID 2436 wrote to memory of 2744 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 32 PID 2436 wrote to memory of 2744 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 32 PID 2436 wrote to memory of 2660 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 33 PID 2436 wrote to memory of 2660 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 33 PID 2436 wrote to memory of 2660 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 33 PID 2436 wrote to memory of 2660 2436 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe 33 PID 1192 wrote to memory of 2676 1192 Explorer.EXE 34 PID 1192 wrote to memory of 2676 1192 Explorer.EXE 34 PID 1192 wrote to memory of 2676 1192 Explorer.EXE 34 PID 1192 wrote to memory of 2676 1192 Explorer.EXE 34 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe"C:\Users\Admin\AppData\Local\Temp\68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe"2⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\68a2c42f5e5c03827b424e1429170d79ea0529987ec07f4a2b76ef109bb7a888.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵PID:2720
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2744
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:2660
-
-
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SysWOW64\fontview.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2