Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
600s -
max time network
362s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22/06/2024, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-20240611-en
General
-
Target
main.exe
-
Size
14.3MB
-
MD5
e517e8e89b0217b712c2723bce9672a0
-
SHA1
240b45da252b8ba7555c0a89de3a0e3a9351e5fc
-
SHA256
f20c519a5f2a470fa4fb325736b7a63f95a7ff3f40362992fb24993ad721b137
-
SHA512
48fb2fd308b278e47ff247f7eb025c2da805f040ff587edefca16570bc8ba876b5d6adc383c47b62e5fd33c255ae2edf1941cc98bc56fa609d74bc087bd942d9
-
SSDEEP
196608:jMhP4WgzpUmKAUTo4z3wVSIPLFFrL0AGtWT6U9:jyP2Oo40HLvL7Gty9
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1254198620102594621/No6jloWQ57wzq3vilj1sf51CnodPLo51Rm4myHwx_3QsP6yctAWQozLZQ-NPJTX5tFpl
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 2144 main.exe 2556 icsys.icn.exe 2600 explorer.exe 2436 spoolsv.exe 2448 svchost.exe 2412 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 3028 main.exe 3028 main.exe 2504 Process not Found 3028 main.exe 2556 icsys.icn.exe 2600 explorer.exe 2436 spoolsv.exe 2448 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe main.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1228 schtasks.exe 1760 schtasks.exe 240 schtasks.exe 2816 schtasks.exe 2352 schtasks.exe 1304 schtasks.exe 888 schtasks.exe 2900 schtasks.exe 1452 schtasks.exe 1376 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 3028 main.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe 2448 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2600 explorer.exe 2448 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3028 main.exe 3028 main.exe 2556 icsys.icn.exe 2556 icsys.icn.exe 2600 explorer.exe 2600 explorer.exe 2436 spoolsv.exe 2436 spoolsv.exe 2448 svchost.exe 2448 svchost.exe 2412 spoolsv.exe 2412 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2144 3028 main.exe 28 PID 3028 wrote to memory of 2144 3028 main.exe 28 PID 3028 wrote to memory of 2144 3028 main.exe 28 PID 3028 wrote to memory of 2144 3028 main.exe 28 PID 3028 wrote to memory of 2556 3028 main.exe 30 PID 3028 wrote to memory of 2556 3028 main.exe 30 PID 3028 wrote to memory of 2556 3028 main.exe 30 PID 3028 wrote to memory of 2556 3028 main.exe 30 PID 2556 wrote to memory of 2600 2556 icsys.icn.exe 31 PID 2556 wrote to memory of 2600 2556 icsys.icn.exe 31 PID 2556 wrote to memory of 2600 2556 icsys.icn.exe 31 PID 2556 wrote to memory of 2600 2556 icsys.icn.exe 31 PID 2600 wrote to memory of 2436 2600 explorer.exe 32 PID 2600 wrote to memory of 2436 2600 explorer.exe 32 PID 2600 wrote to memory of 2436 2600 explorer.exe 32 PID 2600 wrote to memory of 2436 2600 explorer.exe 32 PID 2436 wrote to memory of 2448 2436 spoolsv.exe 33 PID 2436 wrote to memory of 2448 2436 spoolsv.exe 33 PID 2436 wrote to memory of 2448 2436 spoolsv.exe 33 PID 2436 wrote to memory of 2448 2436 spoolsv.exe 33 PID 2448 wrote to memory of 2412 2448 svchost.exe 34 PID 2448 wrote to memory of 2412 2448 svchost.exe 34 PID 2448 wrote to memory of 2412 2448 svchost.exe 34 PID 2448 wrote to memory of 2412 2448 svchost.exe 34 PID 2600 wrote to memory of 3032 2600 explorer.exe 35 PID 2600 wrote to memory of 3032 2600 explorer.exe 35 PID 2600 wrote to memory of 3032 2600 explorer.exe 35 PID 2600 wrote to memory of 3032 2600 explorer.exe 35 PID 2448 wrote to memory of 240 2448 svchost.exe 36 PID 2448 wrote to memory of 240 2448 svchost.exe 36 PID 2448 wrote to memory of 240 2448 svchost.exe 36 PID 2448 wrote to memory of 240 2448 svchost.exe 36 PID 2448 wrote to memory of 1228 2448 svchost.exe 42 PID 2448 wrote to memory of 1228 2448 svchost.exe 42 PID 2448 wrote to memory of 1228 2448 svchost.exe 42 PID 2448 wrote to memory of 1228 2448 svchost.exe 42 PID 2448 wrote to memory of 2816 2448 svchost.exe 44 PID 2448 wrote to memory of 2816 2448 svchost.exe 44 PID 2448 wrote to memory of 2816 2448 svchost.exe 44 PID 2448 wrote to memory of 2816 2448 svchost.exe 44 PID 2448 wrote to memory of 2352 2448 svchost.exe 46 PID 2448 wrote to memory of 2352 2448 svchost.exe 46 PID 2448 wrote to memory of 2352 2448 svchost.exe 46 PID 2448 wrote to memory of 2352 2448 svchost.exe 46 PID 2448 wrote to memory of 1304 2448 svchost.exe 48 PID 2448 wrote to memory of 1304 2448 svchost.exe 48 PID 2448 wrote to memory of 1304 2448 svchost.exe 48 PID 2448 wrote to memory of 1304 2448 svchost.exe 48 PID 2448 wrote to memory of 888 2448 svchost.exe 50 PID 2448 wrote to memory of 888 2448 svchost.exe 50 PID 2448 wrote to memory of 888 2448 svchost.exe 50 PID 2448 wrote to memory of 888 2448 svchost.exe 50 PID 2448 wrote to memory of 1760 2448 svchost.exe 52 PID 2448 wrote to memory of 1760 2448 svchost.exe 52 PID 2448 wrote to memory of 1760 2448 svchost.exe 52 PID 2448 wrote to memory of 1760 2448 svchost.exe 52 PID 2448 wrote to memory of 2900 2448 svchost.exe 54 PID 2448 wrote to memory of 2900 2448 svchost.exe 54 PID 2448 wrote to memory of 2900 2448 svchost.exe 54 PID 2448 wrote to memory of 2900 2448 svchost.exe 54 PID 2448 wrote to memory of 1452 2448 svchost.exe 56 PID 2448 wrote to memory of 1452 2448 svchost.exe 56 PID 2448 wrote to memory of 1452 2448 svchost.exe 56 PID 2448 wrote to memory of 1452 2448 svchost.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\users\admin\appdata\local\temp\main.exec:\users\admin\appdata\local\temp\main.exe2⤵
- Executes dropped EXE
PID:2144
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2412
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:25 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:240
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:26 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1228
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:27 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:28 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2352
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:29 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1304
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:30 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:888
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:31 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1760
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:32 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2900
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:33 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1452
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:34 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1376
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:3032
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.2MB
MD579eb03e5760482cf9bf4a781de9aefd0
SHA1cd27d46f8c5a134696d62b1521f71158f124b35a
SHA256ffdac036f40a0d3bac9efa13a7d086dfce3a2a6ab3c5354fb37f56b822647885
SHA512ee2067f5609223e029eebb7ccca96033d8cfad62321bf35baad133df79500edd376949800b073549a3ce09917e1f58d593b2fc933cd7fe23a000b253de34fe7d
-
Filesize
135KB
MD551d376eb445696b3cb56dde6d56baaa9
SHA1d04b7f77ec6c731b8dbdfc1ae33ab49058c72694
SHA25604787faa4de422ed490498c1cc7fa021627312f41ab8bd594c1a751b5e4ed822
SHA5121780ec6327852d5f82b22082618b16247e8d2c1aeef1612954313dffabbe05a6ef2c70869a39d70898d4cc954186ae516c02803a57f67bc7a4d3efd699cf0a5f
-
Filesize
135KB
MD5012b5e53af0e19c09932b13cd27f8c80
SHA1250d7945ca0a1d3c2d4c2595efb35c3428770b18
SHA2566ecbd129a6a65749130e1511357f939f91cbf8de414ffa9542db7606917ee5ce
SHA5129d4c595317ef6ddf2995c3285f10aeca4d343f592b11c6402722d8b9940f08105a10e963a584950d56a1b75e6147c94b1885248743b7e54d3dbf6ce82adbc9ec
-
Filesize
135KB
MD53a927d29ab96d02d2b9afd633c0805f3
SHA1b365db399840f0ef54597afc3941fc25851782fb
SHA25617d28e4d1953b1fe626dc6a12f44781173ff6a4a08f486291febe8d53385334f
SHA512e6fd1cca8c1970a825244c7ad485d096a8eaac4802041520abd62415ef39f19e6bd0f207816144b76f08fb6cfec22582df376c487567e77e40fa8d67d274a3c9
-
Filesize
135KB
MD5756c19fd5bb88e2fca3947822a69c6b1
SHA1e7abb01d493bed4c072ec9d066cdf6ae4e5a17d2
SHA25621040aa334e7d9508e2d137d7227835c145c573fee45181518316df5183c9811
SHA51284f8feeee31dadc5ec5b2e671e742de5eb9b300015a7d11f3da1ed76385feee9be7eacc4fd33538bd7da9a4604104f985675e31d3f9879baa00221a4df5004fb