Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 04:40
Static task
static1
Behavioral task
behavioral1
Sample
f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe
Resource
win10v2004-20240611-en
General
-
Target
f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe
-
Size
84KB
-
MD5
a459f8669aaa1b98f28b476812857165
-
SHA1
95ffbe1783b4292164899f05715ed6e03fe3b16e
-
SHA256
f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd
-
SHA512
c390924d5f731e1f2db441e094415a7cdd3fa5d0d96b7c0bdf3d0952926249a92dbe4140a38279305acc40ec403e95e9e029682e88817276224fca3a049525a1
-
SSDEEP
1536:RshfSWHHNvoLqNwDDGw02eQmh0HjWONhFdIHBw:GhfxHNIreQm+HiChFdIHBw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1704 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\¢«.exe f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe File created C:\Windows\SysWOW64\¢«.exe f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe File created C:\Windows\SysWOW64\notepad¢¬.exe f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe File created C:\Windows\system\rundll32.exe f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253629" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253629" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1704 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 1704 rundll32.exe 1704 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2224 wrote to memory of 1704 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 28 PID 2224 wrote to memory of 1704 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 28 PID 2224 wrote to memory of 1704 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 28 PID 2224 wrote to memory of 1704 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 28 PID 2224 wrote to memory of 1704 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 28 PID 2224 wrote to memory of 1704 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 28 PID 2224 wrote to memory of 1704 2224 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe"C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5398da659a6d86561b69cdd15bddf04c7
SHA1727745cf7edc35d0a430208e31078a3584029e5b
SHA2561196a61f813ca5a5cc1f64d3756301cfad17ff83f6b620faa561e9bec60b7193
SHA51239dc2474840512b19a2e8cb5df1fd360cfa9eb537a4ecf2b077f45f2eb703adbe14457dbe062ceb0d74572a24025bf1c5a45d51282a385badbac2568b1fdfcc7
-
Filesize
82KB
MD57d995fbc138b13e7ef7083c6b24da77c
SHA186b998bdaa2ca3db25c867b21b318309a2ea0205
SHA25653b5b76fb7f76c557632f9cb5debd9f8c1389c0ddf34ed84d18cf5cd282578b6
SHA51224b5212d50fec00c88b4eaa63f6bef8e18a6c4d895cfe57459bc179118da193dba6040477a29df15e7da29b65c6782adfbe03d3804ea85eff3ddf66118ee276a