Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
13/07/2024, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
04be35537e487658cb5499263499abf0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
04be35537e487658cb5499263499abf0N.exe
Resource
win10v2004-20240709-en
General
-
Target
04be35537e487658cb5499263499abf0N.exe
-
Size
204KB
-
MD5
04be35537e487658cb5499263499abf0
-
SHA1
425c5803311fedd05c6999799b612a31093b3299
-
SHA256
65ee8a95c9b257410977d855e967f6a35411833a984ad63ea9e298b31e7d6640
-
SHA512
583574140077432c472f276acf04dc6cd708675f2a184bc0712ef5a3699e5f4df338b39740fa35297d417f0747e01e5ebd948701bdd24d2b154d1dd64eef8356
-
SSDEEP
3072:GO/6nl92ILkt6i2ox7c39b1a0J86W8xXCKNWOHU/ezYMVWtG4SPUkxbgl:GgFtboVBJtNWyPnYG4fUbk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1984 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 3032 04be35537e487658cb5499263499abf0N.exe 3032 04be35537e487658cb5499263499abf0N.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c0d30c78 = "C:\\Windows\\apppatch\\svchost.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\c0d30c78 = "C:\\Windows\\apppatch\\svchost.exe" 04be35537e487658cb5499263499abf0N.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Defender\lymyxid.com svchost.exe File created C:\Program Files (x86)\Windows Defender\qetyfuv.com svchost.exe File opened for modification C:\Program Files (x86)\Windows Defender\qetyfuv.com svchost.exe File opened for modification C:\Program Files (x86)\Windows Defender\gahyqah.com svchost.exe File created C:\Program Files (x86)\Windows Defender\galyqaz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\lymyxid.com svchost.exe File opened for modification C:\Program Files (x86)\Windows Defender\vocyzit.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vonypom.com svchost.exe File opened for modification C:\Program Files (x86)\Windows Defender\vonypom.com svchost.exe File created C:\Program Files (x86)\Windows Defender\gahyqah.com svchost.exe File opened for modification C:\Program Files (x86)\Windows Defender\galyqaz.com svchost.exe File created C:\Program Files (x86)\Windows Defender\vocyzit.com svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 04be35537e487658cb5499263499abf0N.exe File opened for modification C:\Windows\apppatch\svchost.exe 04be35537e487658cb5499263499abf0N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1984 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3032 04be35537e487658cb5499263499abf0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3032 wrote to memory of 1984 3032 04be35537e487658cb5499263499abf0N.exe 30 PID 3032 wrote to memory of 1984 3032 04be35537e487658cb5499263499abf0N.exe 30 PID 3032 wrote to memory of 1984 3032 04be35537e487658cb5499263499abf0N.exe 30 PID 3032 wrote to memory of 1984 3032 04be35537e487658cb5499263499abf0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\04be35537e487658cb5499263499abf0N.exe"C:\Users\Admin\AppData\Local\Temp\04be35537e487658cb5499263499abf0N.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5b229cd65829a1e8b126e404944ef8731
SHA162fcc67dd3bf9612086880df0cf797ce46e664c4
SHA25614e921f530059cf0abb4177b6c86a3574b71b942833d70deb3e3921dbbed3ce9
SHA512526132813232595225f708daf6a629683afddd60d0aae752b846c391bf237e07f223c6bb786ed135046234b1688f7a0d3d59b9bbb0c671548fd6db7343b7ff5a
-
Filesize
42KB
MD500697c2b8ad2f93f078ef0324f951b30
SHA17faf411fde39c863be94b9fd05e89db57f52ae84
SHA256068e9983eebd1c38dfa8b4bc1f4d524b7ed805271315ed1b8331ea2479915ebd
SHA512c3e6e17a8377b7095d44191440aa3268704e122eebbebabad89f8c1b9d21a3b2fba3431d8fe07e6cb722ab93a5c275be0f05eced510a1cb0080c8d05bd75aba0
-
Filesize
42KB
MD58006efa96b607e90a2ecd385e82fbced
SHA1843a93393f5d4f89167b3eadb7dd00652cfeca8e
SHA256195b2e98ff77b3de2acce90eedeca42df2c94d0884fed2aee1604dea085cb803
SHA5127acdcdd671a291a82421ecbcbda5713ab95dbad9044734d8458a4349843cdf18457a1a40b127bd30d2991e4012cd249874f941ccde43e4a646d1e87a5016e0f6
-
Filesize
204KB
MD553881d139b3adb9c4d6b8a058f2314a1
SHA14c387a9cddddce9ea269a325775275c8b0bcb2d5
SHA2567186edccea43966c7eec8a7ef17daf56122fefffef84a89700940229301ecae1
SHA512bcccf1c5d4ee9c1085bfec60fd3325bffc9d5f35cc23bdc5e18219c0ae1bedb32e2f10c3684b21e2c3f9b877ccf25ea60939c73deb074474d8d8148613afd315