Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
2df807a290d3c5994e51f223d7c1a5d0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2df807a290d3c5994e51f223d7c1a5d0N.exe
Resource
win10v2004-20240704-en
General
-
Target
2df807a290d3c5994e51f223d7c1a5d0N.exe
-
Size
237KB
-
MD5
2df807a290d3c5994e51f223d7c1a5d0
-
SHA1
73d2c017077e28a9d1789331fac1638287782e88
-
SHA256
8ec6916adfac9da627a7dc82e3bcb34c792501a74da35e0c9181d1a16345f661
-
SHA512
30c0cd841cfe5e45725710608ed75cd9dee0ac4375a1756a343316e657d336693c0186592f5e43aa29cfd1137765550b2b99efa0480d008056d9f192b30f96a3
-
SSDEEP
6144:AD8okEvTyoZVOgd2QZiw5NLclL5orfQH:CsjCF2QZiOU+4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2296 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2224 2df807a290d3c5994e51f223d7c1a5d0N.exe 2224 2df807a290d3c5994e51f223d7c1a5d0N.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4442d7dd = "C:\\Windows\\apppatch\\svchost.exe" 2df807a290d3c5994e51f223d7c1a5d0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\4442d7dd = "C:\\Windows\\apppatch\\svchost.exe" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 2df807a290d3c5994e51f223d7c1a5d0N.exe File opened for modification C:\Windows\apppatch\svchost.exe 2df807a290d3c5994e51f223d7c1a5d0N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2296 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2224 2df807a290d3c5994e51f223d7c1a5d0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2296 2224 2df807a290d3c5994e51f223d7c1a5d0N.exe 28 PID 2224 wrote to memory of 2296 2224 2df807a290d3c5994e51f223d7c1a5d0N.exe 28 PID 2224 wrote to memory of 2296 2224 2df807a290d3c5994e51f223d7c1a5d0N.exe 28 PID 2224 wrote to memory of 2296 2224 2df807a290d3c5994e51f223d7c1a5d0N.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2df807a290d3c5994e51f223d7c1a5d0N.exe"C:\Users\Admin\AppData\Local\Temp\2df807a290d3c5994e51f223d7c1a5d0N.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
PID:2296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237KB
MD5bc0d40fd65345c01f4c75bc04fabab26
SHA14abf8ff8202e7229e3d5030f70ae10f1649bde5c
SHA256964aa0682a98aa0d57b5125dd606f308c84f1c246ab5beee6cfaf8b55c8406de
SHA512643f75ae730d9d99dba241b3c6f51bf6efb15a9fc420f6dc7f27a3043dd4c26d3612749b2be92f539dea2a11035f79b041b381a99685bfca5cdf878fbc478b6f