Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16/06/2024, 00:52
Behavioral task
behavioral1
Sample
a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe
Resource
win7-20240611-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe
-
Size
2.5MB
-
MD5
74cd7d9b53e908bcfb3c47524e941301
-
SHA1
a49cae44c318405c3a1d46d79112819f8631c876
-
SHA256
a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce
-
SHA512
52d0d4d03c76c498f7a05520fa3d45bed8f493687e076ccea6f96ae7798bcb0e194ba0f67ce749306f1dd779670de38ed8f805b5d49d403e4b366b33a3d3c8d4
-
SSDEEP
49152:YxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxg:Yxx9NUFkQx753uWuCyyxg
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Detects executables packed with Themida 17 IoCs
resource yara_rule behavioral1/memory/2140-0-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x005c0000000141ec-7.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/2480-11-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x0008000000014318-16.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/2668-23-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/files/0x00080000000143a0-30.dat INDICATOR_EXE_Packed_Themida behavioral1/memory/1436-35-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2140-36-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2468-44-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2468-49-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2668-51-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2140-53-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2480-54-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2480-55-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1436-56-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2480-61-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2480-67-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
pid Process 2480 explorer.exe 2668 spoolsv.exe 1436 svchost.exe 2468 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2480 explorer.exe 2668 spoolsv.exe 1436 svchost.exe -
resource yara_rule behavioral1/memory/2140-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x005c0000000141ec-7.dat themida behavioral1/memory/2480-11-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0008000000014318-16.dat themida behavioral1/memory/2668-23-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x00080000000143a0-30.dat themida behavioral1/memory/1436-35-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2140-36-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2468-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2468-49-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2668-51-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2140-53-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2480-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2480-55-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1436-56-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2480-61-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2480-67-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2480 explorer.exe 2668 spoolsv.exe 1436 svchost.exe 2468 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2524 schtasks.exe 804 schtasks.exe 568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 2480 explorer.exe 1436 svchost.exe 1436 svchost.exe 1436 svchost.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 1436 svchost.exe 2480 explorer.exe 2480 explorer.exe 1436 svchost.exe 1436 svchost.exe 2480 explorer.exe 1436 svchost.exe 2480 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1436 svchost.exe 2480 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 2480 explorer.exe 2480 explorer.exe 2668 spoolsv.exe 2668 spoolsv.exe 1436 svchost.exe 1436 svchost.exe 2468 spoolsv.exe 2468 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2480 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 28 PID 2140 wrote to memory of 2480 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 28 PID 2140 wrote to memory of 2480 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 28 PID 2140 wrote to memory of 2480 2140 a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe 28 PID 2480 wrote to memory of 2668 2480 explorer.exe 29 PID 2480 wrote to memory of 2668 2480 explorer.exe 29 PID 2480 wrote to memory of 2668 2480 explorer.exe 29 PID 2480 wrote to memory of 2668 2480 explorer.exe 29 PID 2668 wrote to memory of 1436 2668 spoolsv.exe 30 PID 2668 wrote to memory of 1436 2668 spoolsv.exe 30 PID 2668 wrote to memory of 1436 2668 spoolsv.exe 30 PID 2668 wrote to memory of 1436 2668 spoolsv.exe 30 PID 1436 wrote to memory of 2468 1436 svchost.exe 31 PID 1436 wrote to memory of 2468 1436 svchost.exe 31 PID 1436 wrote to memory of 2468 1436 svchost.exe 31 PID 1436 wrote to memory of 2468 1436 svchost.exe 31 PID 2480 wrote to memory of 2816 2480 explorer.exe 32 PID 2480 wrote to memory of 2816 2480 explorer.exe 32 PID 2480 wrote to memory of 2816 2480 explorer.exe 32 PID 2480 wrote to memory of 2816 2480 explorer.exe 32 PID 1436 wrote to memory of 2524 1436 svchost.exe 33 PID 1436 wrote to memory of 2524 1436 svchost.exe 33 PID 1436 wrote to memory of 2524 1436 svchost.exe 33 PID 1436 wrote to memory of 2524 1436 svchost.exe 33 PID 1436 wrote to memory of 804 1436 svchost.exe 38 PID 1436 wrote to memory of 804 1436 svchost.exe 38 PID 1436 wrote to memory of 804 1436 svchost.exe 38 PID 1436 wrote to memory of 804 1436 svchost.exe 38 PID 1436 wrote to memory of 568 1436 svchost.exe 40 PID 1436 wrote to memory of 568 1436 svchost.exe 40 PID 1436 wrote to memory of 568 1436 svchost.exe 40 PID 1436 wrote to memory of 568 1436 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe"C:\Users\Admin\AppData\Local\Temp\a13d9f5029f6bb482dbed7bf5e3b607ab40c22475621b9bde1ae140a7827c2ce.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:54 /f5⤵
- Creates scheduled task(s)
PID:2524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:55 /f5⤵
- Creates scheduled task(s)
PID:804
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:56 /f5⤵
- Creates scheduled task(s)
PID:568
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2816
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD58bfaeca276fe4fea189ea8f82f119694
SHA1981fcdb0a4fdde34c78fd6f56b677ea115d50db0
SHA256737765e68d65fc3c49691677e943a6d45a26e7c71a31b7e1350a29dbd43da810
SHA512506e3959de66e341bdbdbc8e16c78abea504e2b50f5c9a75a6f8bb0b132dc3991ddc7877070da82c17621420e590fdcea08c9ce56315901a849f6186ae82866b
-
Filesize
2.5MB
MD57b348f6d6220b8edbbc2f71576210172
SHA14706dfc27707722162005d8fc354d7f16172fdf4
SHA2563d7a2cf634825aa8bf00a8124e42bcb32a8d446680edf994fbe1d4e3ec40af13
SHA512d7850f5196c6f421645494b3262d4f0db4fecb284db914f0d699999531d0c4a99bba28fbd68136947c46624bed682e22421fce41dd98a1a03e089015e86b5524
-
Filesize
2.5MB
MD5018349880479ef41059ab12ab15766be
SHA1a0384f48eba661a553b2d7626dcc53c462d48b74
SHA2561709b641628dc5978b413608359a1eeb6f395687bebd32594c3215cf9b8b3e94
SHA512f59360bf63c4b1bc38e079d04879401c01eaa7edb90805af2df469aa860d7f4d8742fb6cc3575fabeafc154372cad835b993be63924161bd117001483be3c1d1