Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
2b5a6fe14376cbb5dc3ccc73aec34110N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2b5a6fe14376cbb5dc3ccc73aec34110N.exe
Resource
win10v2004-20240709-en
General
-
Target
2b5a6fe14376cbb5dc3ccc73aec34110N.exe
-
Size
135KB
-
MD5
2b5a6fe14376cbb5dc3ccc73aec34110
-
SHA1
e6df196f3a11432091fd329d8a0f7b2cc9abf9c4
-
SHA256
e5dfed3f665d93160eb7ed7c3abaa39ca23c6768e44a23d6cf60804530c4742a
-
SHA512
14eb250c9a7df54f531fd6fc1dd88f6de40795aa227af67bb5f5e23db20b450a3cced267af0ce17279920ea9601cacf8102712739338c1723f5d06a6181e46b0
-
SSDEEP
1536:4fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVgEhu:4VqoCl/YgjxEufVU0TbTyDDalquu
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2756 explorer.exe 2916 spoolsv.exe 2852 svchost.exe 2776 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2756 explorer.exe 2916 spoolsv.exe 2852 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 2b5a6fe14376cbb5dc3ccc73aec34110N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2384 schtasks.exe 2612 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2852 svchost.exe 2852 svchost.exe 2756 explorer.exe 2852 svchost.exe 2756 explorer.exe 2756 explorer.exe 2852 svchost.exe 2756 explorer.exe 2852 svchost.exe 2756 explorer.exe 2852 svchost.exe 2756 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2756 explorer.exe 2852 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 2756 explorer.exe 2756 explorer.exe 2916 spoolsv.exe 2916 spoolsv.exe 2852 svchost.exe 2852 svchost.exe 2776 spoolsv.exe 2776 spoolsv.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2756 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 30 PID 2012 wrote to memory of 2756 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 30 PID 2012 wrote to memory of 2756 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 30 PID 2012 wrote to memory of 2756 2012 2b5a6fe14376cbb5dc3ccc73aec34110N.exe 30 PID 2756 wrote to memory of 2916 2756 explorer.exe 31 PID 2756 wrote to memory of 2916 2756 explorer.exe 31 PID 2756 wrote to memory of 2916 2756 explorer.exe 31 PID 2756 wrote to memory of 2916 2756 explorer.exe 31 PID 2916 wrote to memory of 2852 2916 spoolsv.exe 32 PID 2916 wrote to memory of 2852 2916 spoolsv.exe 32 PID 2916 wrote to memory of 2852 2916 spoolsv.exe 32 PID 2916 wrote to memory of 2852 2916 spoolsv.exe 32 PID 2852 wrote to memory of 2776 2852 svchost.exe 33 PID 2852 wrote to memory of 2776 2852 svchost.exe 33 PID 2852 wrote to memory of 2776 2852 svchost.exe 33 PID 2852 wrote to memory of 2776 2852 svchost.exe 33 PID 2756 wrote to memory of 2752 2756 explorer.exe 34 PID 2756 wrote to memory of 2752 2756 explorer.exe 34 PID 2756 wrote to memory of 2752 2756 explorer.exe 34 PID 2756 wrote to memory of 2752 2756 explorer.exe 34 PID 2852 wrote to memory of 2612 2852 svchost.exe 35 PID 2852 wrote to memory of 2612 2852 svchost.exe 35 PID 2852 wrote to memory of 2612 2852 svchost.exe 35 PID 2852 wrote to memory of 2612 2852 svchost.exe 35 PID 2852 wrote to memory of 2384 2852 svchost.exe 38 PID 2852 wrote to memory of 2384 2852 svchost.exe 38 PID 2852 wrote to memory of 2384 2852 svchost.exe 38 PID 2852 wrote to memory of 2384 2852 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b5a6fe14376cbb5dc3ccc73aec34110N.exe"C:\Users\Admin\AppData\Local\Temp\2b5a6fe14376cbb5dc3ccc73aec34110N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:31 /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2612
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:32 /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2384
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5c88ffcc7c2f8f6c41203e3998dfe647b
SHA140aee9e36c7e977911a001cee019c2ce9fe13995
SHA256426033ccec0b4de5f6b4c4a39fb2553ccd9f20415fb1e6db6596a5ca7f7eb7b5
SHA5125b08569fd9e086b478059715c567b60cebd0c120aaeb196eccd835e4d808a76508459cce940ba8db6a7d7505d8407a310c5b929e4338f3f1dd53cc59d37ca172
-
Filesize
135KB
MD5dbb3a6db6ff23d551e14f354ef03d32c
SHA18bb96dbe3bf538a2e6909e4a79c7b8d4be0ea42c
SHA256176cdbe764738718769bdfe3eda7067d2dfa05a640e4296893147678e5aaccf7
SHA512d619be1c9cf4f679ab86e475ae94696605220c338ce3b769dc47ba3ff72519fc3437bd2b057c50b6f8c2f66d6c2a005c36f34608d47e1fc7724f7578a366368e
-
Filesize
135KB
MD5154821bccb874818567f71684883435c
SHA184d1e8773ca496b7e4c5cd9f1de8ec8042940826
SHA2561505f25356fcc15e19d2b78e0691e712b1d19108a6ea71ef70eccba004946a8e
SHA51267c9dea3e7c09b8354372b0b23c20d9884a681dbba53dd2ca416a5ad79c16a260293939ddfb6fa8dac7ca829a7c5c85e9c8287082c36c78443a149e8009b3ff6