Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
1ce476f82cee74231401b37a99650d40N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1ce476f82cee74231401b37a99650d40N.exe
Resource
win10v2004-20240704-en
General
-
Target
1ce476f82cee74231401b37a99650d40N.exe
-
Size
211KB
-
MD5
1ce476f82cee74231401b37a99650d40
-
SHA1
1208512288024ca2661eecd11f83ad171eca1588
-
SHA256
a5666de35d8333c1a91281efffa6eab92820850336566bb3de258ce9814d3891
-
SHA512
0b770f9e5e05fb9ee47cd7dada684736c8c074a2b55f64a1f174db11082e1370a94fa63f884c7aaa83537c100c01e0a901ac5ed635e54dcbca7e46b1ecd92470
-
SSDEEP
6144:gmKVGe1XIpQiU/ma3MB8hH2Tkp6bYnWcZVol0N5TzQ3:q71YpQiU/RcO1VQInVob
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2108 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 832 1ce476f82cee74231401b37a99650d40N.exe 832 1ce476f82cee74231401b37a99650d40N.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\bd505609 = "C:\\Windows\\apppatch\\svchost.exe" 1ce476f82cee74231401b37a99650d40N.exe -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\lymyxid.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gadyciz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyhyg.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galyqaz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gatyfus.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pupycag.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galynuh.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lygyvuj.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyfuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vocyzit.com svchost.exe File created C:\Program Files (x86)\Windows Defender\pupydeq.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lysyfyj.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vonypom.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gahyqah.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lyrysor.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qexyhuv.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lyxynyx.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vofycot.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gahyhiz.com svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 1ce476f82cee74231401b37a99650d40N.exe File opened for modification C:\Windows\apppatch\svchost.exe 1ce476f82cee74231401b37a99650d40N.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\MuiCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2108 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 832 1ce476f82cee74231401b37a99650d40N.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 832 1ce476f82cee74231401b37a99650d40N.exe Token: SeSecurityPrivilege 832 1ce476f82cee74231401b37a99650d40N.exe Token: SeSecurityPrivilege 2108 svchost.exe Token: SeSecurityPrivilege 2108 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 832 wrote to memory of 2108 832 1ce476f82cee74231401b37a99650d40N.exe 30 PID 832 wrote to memory of 2108 832 1ce476f82cee74231401b37a99650d40N.exe 30 PID 832 wrote to memory of 2108 832 1ce476f82cee74231401b37a99650d40N.exe 30 PID 832 wrote to memory of 2108 832 1ce476f82cee74231401b37a99650d40N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ce476f82cee74231401b37a99650d40N.exe"C:\Users\Admin\AppData\Local\Temp\1ce476f82cee74231401b37a99650d40N.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b06f75691f9efeca6e2e9263f1c7e4bf
SHA1ef7038cc0faf7f26819be5fb6abdbc256b6d071f
SHA2568c36838c871624b7a00b4ae8fdd381160111cc9dc890a0c04646252f982510de
SHA51213642d85f8e47191c768a0b297e06965dd058fff6d1e2dd3c1ff303fb1a3eb460e2049bc776e13764dd80b94156af48877edb1b0883eeb41b9c70bbf040fc000
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\35L2VNYM\login[1].htm
Filesize168B
MD5d57e3a550060f85d44a175139ea23021
SHA12c5cb3428a322c9709a34d04dd86fe7628f8f0a6
SHA25643edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c
SHA5120364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063
-
Filesize
211KB
MD59604bf19ce17ee0a0cd4515585b713ac
SHA19df2ac78236fbfeb56d7eb532c292b4cdbdc180e
SHA256c037935500be6fe3f10d0a376239be66dd2eec5d3ea22a73af5c22a6084884ff
SHA51263bcbb9d0ee2bfb14d96e6afcbae568f7c6816aa10fd1cc8420e99943bac18f29f4eeb0329d58a4e74a8ecaeb572a2f6a21e220a77d15992a96bf1d3d88b62d9