Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
08/07/2024, 22:25
General
-
Target
ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe
-
Size
2.6MB
-
MD5
2ca30af5c55fea6eb038cbb655a1676c
-
SHA1
a701d9464df02d1467b2a72557160c7b548206d5
-
SHA256
ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da
-
SHA512
fd7f6ae26c87724cff8eda2ae1d655fc0ab433a003989d187215bf7e48ebc5343c30a8accd2aa5ed98df0141a1502eb84ce5c04a9df223970fe4297168ee3e1c
-
SSDEEP
12288:LJKxMQJjOyjk0OpGiGkHnYoLXFgHAVXqlxcXqkQ9Y7otV94QHN72u16MoCWaGTvH:sMCFdeLy4QHZH1jFWhXwM
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies security service 2 TTPs 22 IoCs
-
Executes dropped EXE 23 IoCs
-
Loads dropped DLL 20 IoCs
-
Drops file in System32 directory 30 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe"C:\Users\Admin\AppData\Local\Temp\ced3c02a87991cb0112d9b4a7d73e0f00c9a8791de01da3e36e57e4cbd0644da.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\buftemp1.exe"C:\Windows\buftemp1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\buftemp1.exeC:\Windows\buftemp1.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\system32\Winextension.exe 480 "C:\Windows\buftemp1.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\SysWOW64\Winextension.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\system32\Winextension.exe 1104 "C:\Windows\SysWOW64\Winextension.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\SysWOW64\Winextension.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\system32\Winextension.exe 1104 "C:\Windows\SysWOW64\Winextension.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\SysWOW64\Winextension.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\system32\Winextension.exe 1104 "C:\Windows\SysWOW64\Winextension.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\SysWOW64\Winextension.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\system32\Winextension.exe 1104 "C:\Windows\SysWOW64\Winextension.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\SysWOW64\Winextension.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat14⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg15⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\system32\Winextension.exe 1104 "C:\Windows\SysWOW64\Winextension.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\SysWOW64\Winextension.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat16⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg17⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\system32\Winextension.exe 1104 "C:\Windows\SysWOW64\Winextension.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\SysWOW64\Winextension.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat18⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg19⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\system32\Winextension.exe 1104 "C:\Windows\SysWOW64\Winextension.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\SysWOW64\Winextension.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat20⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg21⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\system32\Winextension.exe 1100 "C:\Windows\SysWOW64\Winextension.exe"20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\SysWOW64\Winextension.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat22⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg23⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\system32\Winextension.exe 1104 "C:\Windows\SysWOW64\Winextension.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Winextension.exeC:\Windows\SysWOW64\Winextension.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat24⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg25⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\buftemp2.exe"C:\Windows\buftemp2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55e073629d751540b3512a229a7c56baf
SHA18d384f06bf3fe00d178514990ae39fc54d4e3941
SHA2562039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e
SHA51284fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
3KB
MD5117efa689c5631c1a1ee316f123182bd
SHA1f477bf1e9f4db8452bd9fe314cd18715f7045689
SHA25679ed2f9f9de900b4f0a4869fc5dd40f1dcfb11a3f50bd7a5f362b30fe51b52e7
SHA512abe34afa94cca236205e9ea954b95a78c986612cebd847f5146f792c00a5c58ca1fdc55be2befd974b5be77b1b117e28d8c4996f34b41c78b653725f21da4671
-
Filesize
1.8MB
MD56170bb1a8eb70f2c2f9a1473c004d6af
SHA1b329b644d02c4a350a3ce600b91cf568e33631d7
SHA2568cb592d6617e6065f53413f4e2270b2be619083c2365d0b73467550cb23a4421
SHA5129193130c53adda78c144687308c9e08ef6cd8933c940d96591212173a681d8103751332da8e5c9801760aabce29c1780498f08552892273f33e54d1ca1e4cd89
-
Filesize
36KB
MD5ef835a7dbc2f8c2358e772d4430f5210
SHA1f0af82f4271abf37ba45ad69c73f8109e4e03a38
SHA25676dbfc96d9ea63bfa7f716bb599fb8ae4fe9541a2c72f55bf2db7bea450e240f
SHA5125c141bf6bf29953dfaeb4d67a1efe42894518ba0812dd2422e3b2ce78cfe6d596e001d5c35691f4d352b7d5eca1b49386f9c79cf541f782c72c8da3ddb0fbaff
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
4KB
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
636KB