Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
14/06/2024, 18:53
General
-
Target
01135d1cf63f250c023ff209d643e38893ac3ea28fa92e68a3b4905c2d3bf434.exe
-
Size
66KB
-
MD5
00cfdaf02d05e7e54723e44f1779768b
-
SHA1
58a6c9696a49c988639dc8a5c87d545a49a3fbdc
-
SHA256
01135d1cf63f250c023ff209d643e38893ac3ea28fa92e68a3b4905c2d3bf434
-
SHA512
b22618323a16fa83ba5c67eb1f30e28d64b86e1cef9fee12f6e3f337ab5f1f5d3819f66af2b7778033e2f772436da47695dadc75183ba2b97162de62a0f23dbc
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiH:IeklMMYJhqezw/pXzH9iH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\01135d1cf63f250c023ff209d643e38893ac3ea28fa92e68a3b4905c2d3bf434.exe"C:\Users\Admin\AppData\Local\Temp\01135d1cf63f250c023ff209d643e38893ac3ea28fa92e68a3b4905c2d3bf434.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 18:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 18:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
C:\Windows\SysWOW64\at.exeat 18:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5ba0bb0c513e659839806bd2f1da829bb
SHA1218655dc55f4831a2dfd326f0769894500c00a82
SHA256316900b2f3a4863defd0c5aada0187a129832367756e12c3a742db95cdbdf8f5
SHA51282275388a39861c0716b81d81c6013c7e7fd53ff38d2f186604b188aa2c384ff04632592243e39fca7dbd47289eff976c6b8c0d280047d130a791b0241cf24aa
-
Filesize
66KB
MD523f79933ba63efd3c1c2ef8d715cf3d6
SHA10627a5833958d38d709da3c412cfe1b7a9714c1d
SHA256eaabec8d668684488dde826a8d2f93253de1561ad69caed4665b1eec44fec24f
SHA5127c9cf1b3df4321239782ac93fb9563240a355e68cd9382f0313e5eaa2cd179be6b258f11508599d812237c792601947aeeecf63aeca6d7aa9079075dcbd3f9d1
-
Filesize
66KB
MD5b9c23751dc20b9c9654663e440edc4b2
SHA17a8bfd38f8adea16bad886fe6ba947df62fae0c3
SHA256a3b8d4c9a7ae6d6eb170b2dd824fb5b57c34706d65eac4a1e994f4fcc33b9965
SHA5127ff6c7be96424d45ad8283fd89734afb8186d2a50a78e7144eb26f67534226df83474088730e09a6259494c1d267cf03558f68b547ae872616fe8f50f2e785f6
-
Filesize
66KB
MD5accf4337ccf88cb25bb5df9fa89314d8
SHA1fabea4dd8661732af55a6885487db0e3c80821a0
SHA25634b85f39b81617dc60fdbf9686744277e591fff0de7c557271b59f26bb437032
SHA512e40b3dc4b02cc293af0aa75294139ee3f97f09cee1fbb563c0df079cde29f412182bcbe1e6b748be86e9e6b8696ef5e4d1d0bdc17644c8501a239a4ef00a6dd3
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
16KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
196KB
-
Filesize
1.3MB
-
Filesize
196KB