Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 04:39
Static task
static1
Behavioral task
behavioral1
Sample
57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe
Resource
win10v2004-20240611-en
General
-
Target
57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe
-
Size
73KB
-
MD5
e7d52959a61057093f2170bef8952832
-
SHA1
7bee65ed9e8ab33e24f640efc150d4126aa6a80e
-
SHA256
57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb
-
SHA512
d1924da35735aa9f45a6162deed6fd0fe52ccb130326197a163f042a82176dc4d8bb39e8dbeec69543c807a062554cde5f73d8a8f5220e3430a25e0dd25826e5
-
SSDEEP
768:agO5xRYi+SfSWHHNvvG5bnl/NqNwsKVDstHxYD0p1aXKynF0vQmYZS0HdJnfWO:RshfSWHHNvoLqNwDDGw02eQmh0HjWO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2908 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe File created C:\Windows\SysWOW64\notepad¢¬.exe 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe File opened for modification C:\Windows\SysWOW64\¢«.exe 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe File created C:\Windows\SysWOW64\¢«.exe 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe File created C:\Windows\system\rundll32.exe 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\MSipv 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253567" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253567" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2908 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 2908 rundll32.exe 2908 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 112 wrote to memory of 2908 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 28 PID 112 wrote to memory of 2908 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 28 PID 112 wrote to memory of 2908 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 28 PID 112 wrote to memory of 2908 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 28 PID 112 wrote to memory of 2908 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 28 PID 112 wrote to memory of 2908 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 28 PID 112 wrote to memory of 2908 112 57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe"C:\Users\Admin\AppData\Local\Temp\57fddb1bef42e33ccee7e8d36af892b8635900cbd447748f4423ce013cf14fbb.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5b70d9e2d4e2b819f7ead666f383ae114
SHA1305fd9da538eaf72d6b09e4dead67ef994853b4a
SHA256d8db2f6ab0d3deb5d60ad82e7cad2732ec3cb9446d126bf4a942b582dd54694c
SHA512fdbcd47463bbeee282cd2abe3fb74688a3b0ca0b8cdead38f3fdf3383d8e8494836654a5030545e5731cac0ef60f6847ef85c3fd1cd0cb03abdb6b74cc7fd150
-
Filesize
85KB
MD5a8747311056e7343e048e083726fbc5b
SHA10f742bc5f528ddbb5f8773f6297a5d352b3e5c69
SHA25616c3d64c4fff35f909c3392240464838a380559a6738e09836708b01e8aa81ca
SHA51260833a2dd7c35cc7672cb8d766ec7cacfd3f2fe1e01903ca4ed6f65ed6c1571c37ca8e30d9ada8b391607d311afbb931c84a430da57d43617e688d6ca7156c53