Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/06/2024, 04:43
Static task
static1
Behavioral task
behavioral1
Sample
789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe
Resource
win10v2004-20240508-en
General
-
Target
789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe
-
Size
76KB
-
MD5
0def51919528f794a79273e47275cf60
-
SHA1
c7bb662a60983b8b6686d1642e9303bdc11eaea7
-
SHA256
789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6
-
SHA512
6ea39fb99d14f7e4846602bb22d288bd24ee0a52cba451bf97dea1b8f275320e2bcb605133c37df51d4530f7d2a261fb8ad4c47d7008bfd71388770e83e6e416
-
SSDEEP
768:agO5xRYi+SfSWHHNvvG5bnl/NqNwsKVDstHxYD0p1aXKynF0vQmYZS0HdJnfWOpM:RshfSWHHNvoLqNwDDGw02eQmh0HjWOu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1096 rundll32.exe -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe File created C:\Windows\SysWOW64\notepad¢¬.exe 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe File opened for modification C:\Windows\SysWOW64\¢«.exe 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe File created C:\Windows\SysWOW64\¢«.exe 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system\rundll32.exe 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe File created C:\Windows\system\rundll32.exe 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\MSipv 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\MSipv rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253843" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253843" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command rundll32.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1096 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 1096 rundll32.exe 1096 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2256 wrote to memory of 1096 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 85 PID 2256 wrote to memory of 1096 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 85 PID 2256 wrote to memory of 1096 2256 789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe"C:\Users\Admin\AppData\Local\Temp\789a71514aade8f27536ed4535d1bfd687efa498944f772800fbf779814d81d6.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\system\rundll32.exeC:\Windows\system\rundll32.exe2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD5b8c1a19aebb4b1ccc61ad661a898cfd4
SHA1c75d1ce561835402c6063d4e21086803eab64fb7
SHA256a99839cc8b12f0b6bd3552ade1ef276c44faee0264f34cd105ec22ca00e7fc6a
SHA51242282c44933fea3b5758db84614f32a4c7b2bfbba6d26297832d44c621966791e9a2a64aeadfde61b4661094f8bd6648e3fc828903a588a1a440cac12e6a0743
-
Filesize
84KB
MD54a7d8847234ef047de6dfb647e0b50c0
SHA17a928e5362c7866ea530fa02e049e2e7c922d48a
SHA256d6313d16d3181542e12c19c80166a61668459ed407782ef84d9a7131d97c4dd1
SHA512080524e24e1a78a385882f9592053a0fa373f4395163cd902841e5378c63d0e8fae3316a6c38a399af4438311611d1eac2ec158e27196d1d59b442dfa39d3b61