Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
26s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 13:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c3de679d46d7af04fb19fec872658950N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c3de679d46d7af04fb19fec872658950N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
c3de679d46d7af04fb19fec872658950N.exe
-
Size
60KB
-
MD5
c3de679d46d7af04fb19fec872658950
-
SHA1
715a2062a806ad6ac2c1bd8915b4175cbd9432b5
-
SHA256
033a9bdf81cd99f3aac4ccd914b91de59ec3c7ab0aa825511487675f3017816d
-
SHA512
cae8bdf84fbd586d32c21386e16fa9f6ea459fbbce3f02d32fc6061763ab603307d9184ae2e19f261840a3fa185a358eaee28b77219d25dc8e0aecf5abb7b766
-
SSDEEP
768:ETgAcnILz6H4PwVjHovQ/o/THkbAqs3OfKDHGlHRJ6Wd:ETCy0CQjH2oQ+RJ6Wd
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nuoiv.exe -
Executes dropped EXE 1 IoCs
pid Process 2296 nuoiv.exe -
Loads dropped DLL 2 IoCs
pid Process 2688 c3de679d46d7af04fb19fec872658950N.exe 2688 c3de679d46d7af04fb19fec872658950N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuoiv = "C:\\Users\\Admin\\nuoiv.exe" nuoiv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe 2296 nuoiv.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2688 c3de679d46d7af04fb19fec872658950N.exe 2296 nuoiv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2296 2688 c3de679d46d7af04fb19fec872658950N.exe 30 PID 2688 wrote to memory of 2296 2688 c3de679d46d7af04fb19fec872658950N.exe 30 PID 2688 wrote to memory of 2296 2688 c3de679d46d7af04fb19fec872658950N.exe 30 PID 2688 wrote to memory of 2296 2688 c3de679d46d7af04fb19fec872658950N.exe 30 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29 PID 2296 wrote to memory of 2688 2296 nuoiv.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3de679d46d7af04fb19fec872658950N.exe"C:\Users\Admin\AppData\Local\Temp\c3de679d46d7af04fb19fec872658950N.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\nuoiv.exe"C:\Users\Admin\nuoiv.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5e4b2e1cfd8c839cfda8f621d01ee11d7
SHA196f0c4a342a9a7ba93fbea1761d9f446a448d3f4
SHA25641300dfec3c8fa9f217511b33f5ae1220da020ab6334e8c6f2058cd0a0d493ca
SHA5122834178c2515ac5ff46238775f563a19b6bf669e6f48827eca729ec497a996c19ee943e92be63414c0475b8bc0c2d883f263d75735bb7223f5cda28c822dd17a