Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 12:38
Behavioral task
behavioral1
Sample
087f743efe2e8420ab817c555a232e50N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
087f743efe2e8420ab817c555a232e50N.exe
Resource
win10v2004-20240704-en
General
-
Target
087f743efe2e8420ab817c555a232e50N.exe
-
Size
678KB
-
MD5
087f743efe2e8420ab817c555a232e50
-
SHA1
a40fc725d117ae3350474615869e1de83f2ea09b
-
SHA256
940057ae2dd2e1532eebfd06c07b3c50344f27922692479076e267443a9edc17
-
SHA512
31623e2d8414a1596c23cbd9fd82d6f9e5bf5ab981351de67b1d4c49131420dadee851300953dcb986b4b27f23fd2320afb21b8c805983266a4601833e900002
-
SSDEEP
12288:7tKe6Zv23YLVFhBsC8iFHs+hsuQXIQVRpVnl3Bg5oiNaYzHvAR8:v6Zv2ivhBVnFvh5Q44+iiUKIa
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983} 087f743efe2e8420ab817c555a232e50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mslyj32.exe" 087f743efe2e8420ab817c555a232e50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mslyj32.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2068 svchost.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" 087f743efe2e8420ab817c555a232e50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" svchost.exe -
resource yara_rule behavioral1/memory/2120-0-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral1/files/0x0008000000016ec4-5.dat upx behavioral1/files/0x0008000000016d89-13.dat upx behavioral1/memory/2120-14-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral1/memory/2068-15-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral1/memory/2068-16-0x0000000000400000-0x0000000000439000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" 087f743efe2e8420ab817c555a232e50N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" 087f743efe2e8420ab817c555a232e50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe" svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vcl32.exe 087f743efe2e8420ab817c555a232e50N.exe File created C:\Windows\SysWOW64\mslyj32.exe 087f743efe2e8420ab817c555a232e50N.exe File opened for modification C:\Windows\SysWOW64\mslyj32.exe 087f743efe2e8420ab817c555a232e50N.exe File created C:\Windows\SysWOW64\concp32.exe 087f743efe2e8420ab817c555a232e50N.exe File opened for modification C:\Windows\SysWOW64\concp32.exe 087f743efe2e8420ab817c555a232e50N.exe File created C:\Windows\SysWOW64\vcl32.exe 087f743efe2e8420ab817c555a232e50N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svchost.exe 087f743efe2e8420ab817c555a232e50N.exe File opened for modification C:\Windows\svchost.exe 087f743efe2e8420ab817c555a232e50N.exe -
Modifies registry class 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983}\v = "165" svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 47756b1ef490ccec91520501f5fa4483 087f743efe2e8420ab817c555a232e50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983}\u0 = 658663d26f8bad325217a06063847056939f558d910ed252e05dd0113550f7fc0f4da82ff73a0681ba604c2d4f23269f svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983}\u2 = a54a6b702f92fdf2acd57599e2ae1608015dff41aa020117fc9bd8e2dcf4340f3fa61eb55d6f28597df90602703809d4 svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983} svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983}\u1 = 551d2e0658054ba756fd3798fea5ffca42865cb762a31639dabd7f2cca44e226 svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983} 087f743efe2e8420ab817c555a232e50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32 087f743efe2e8420ab817c555a232e50N.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B97D04E2-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9 087f743efe2e8420ab817c555a232e50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*" 087f743efe2e8420ab817c555a232e50N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2120 087f743efe2e8420ab817c555a232e50N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2068 2120 087f743efe2e8420ab817c555a232e50N.exe 30 PID 2120 wrote to memory of 2068 2120 087f743efe2e8420ab817c555a232e50N.exe 30 PID 2120 wrote to memory of 2068 2120 087f743efe2e8420ab817c555a232e50N.exe 30 PID 2120 wrote to memory of 2068 2120 087f743efe2e8420ab817c555a232e50N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\087f743efe2e8420ab817c555a232e50N.exe"C:\Users\Admin\AppData\Local\Temp\087f743efe2e8420ab817c555a232e50N.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\svchost.exeC:\Windows\svchost.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
PID:2068
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
678KB
MD597e478a99ea1eea5bcae912ccadf331b
SHA15ac6d2daa6b233a09e9688577769ef54cb79c931
SHA256591968e624c54dac4cb05f8c727185ee5007c3457cdcc96aebbd8516320b4592
SHA512bb0c6a5b5c378884dee285f1ec47c845f3ef5b897f5d780711c183306fa4b44c7356b1f52dcb50955b59c045bf0581e005e6b1701bcac40110f3937c5fa82ea8
-
Filesize
681KB
MD5af7070f4266887ac641da2f6a596df15
SHA16b8cb8d2cccb224419b8c0dd545a9841d540a3df
SHA2562e9182b0a567ebc9a2116c8b5a09c43763792c6842084f68fac4fe40e3e086da
SHA51232ba397c18700a06c204ae1cf1cb7f3d1ce4546170cc5e41fb14940d01412261906099e19cb2885210a3c650f0709298b62e734767ff5f042f50ac38f5e64295