Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/07/2024, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5be6e2c83e2ed19e4b2c9ea83b734860N.exe
Resource
win10v2004-20240709-en
General
-
Target
5be6e2c83e2ed19e4b2c9ea83b734860N.exe
-
Size
497KB
-
MD5
5be6e2c83e2ed19e4b2c9ea83b734860
-
SHA1
f1e4b6ef5b36d2098b652fd2ee5c2bad936ef7dc
-
SHA256
140c37210d057d81b9e7a8a6c63483699812bf1b12dcd3f634bac5f8918ba896
-
SHA512
c051251bb6d8dd4e79aaa50f1a7450e3954c2168ebd68c3589cb2a03c24183d1c920925aa4727609aa2b1924f2ff9a48379273084b44755916bd9d011b140f03
-
SSDEEP
6144:yiNjjdOCJnUNKMEPDGeoo1HyisWW4g0QTxbGctE6Jm20tdVgWwAidpNCgrBF:TjjwULQoN84XQT08JoVgWwAkAQ
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x00060000000193ae-20.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 3044 lsm.exe -
Loads dropped DLL 3 IoCs
pid Process 2328 Regsvr32.exe 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISMJA.EXE = "C:\\Program Files (x86)\\svchost.exe" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\I: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\M: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\J: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\K: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\L: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\U: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\V: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\E: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\O: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\R: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\T: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\G: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\N: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\P: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\Q: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened (read-only) \??\S: 5be6e2c83e2ed19e4b2c9ea83b734860N.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\ISMJA.EXE 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File created C:\Windows\SysWOW64\Ms7002.dll 5be6e2c83e2ed19e4b2c9ea83b734860N.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\lsm.exe 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File created C:\Program Files (x86)\HTAKJ.EXE 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File created C:\Program Files (x86)\ISMJA.EXE 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File opened for modification C:\Program Files (x86)\ISMJA.EXE 5be6e2c83e2ed19e4b2c9ea83b734860N.exe File created C:\Program Files (x86)\svchost.exe 5be6e2c83e2ed19e4b2c9ea83b734860N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsm.exe -
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files (x86)\\ISMJA.EXE \"%1\"" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files (x86)\\ISMJA.EXE %1" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile lsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files (x86)\\ISMJA.EXE %1" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files (x86)\\ISMJA.EXE \"%1\"" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\ISMJA.EXE" 5be6e2c83e2ed19e4b2c9ea83b734860N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" Regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3044 lsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2328 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 30 PID 2312 wrote to memory of 2328 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 30 PID 2312 wrote to memory of 2328 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 30 PID 2312 wrote to memory of 2328 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 30 PID 2312 wrote to memory of 2328 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 30 PID 2312 wrote to memory of 2328 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 30 PID 2312 wrote to memory of 2328 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 30 PID 2312 wrote to memory of 3044 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 31 PID 2312 wrote to memory of 3044 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 31 PID 2312 wrote to memory of 3044 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 31 PID 2312 wrote to memory of 3044 2312 5be6e2c83e2ed19e4b2c9ea83b734860N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5be6e2c83e2ed19e4b2c9ea83b734860N.exe"C:\Users\Admin\AppData\Local\Temp\5be6e2c83e2ed19e4b2c9ea83b734860N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Regsvr32.exeRegsvr32.exe C:\Windows\system32\Ms7002.dll /s2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2328
-
-
C:\Program Files\lsm.exe"C:\Program Files\lsm.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
497KB
MD57ecb24548701903684a96c8f159c9f34
SHA1b7f5079f6b8c70ae8e9804ee65ff8626db676f85
SHA256fc9bc9b87aca32784f46eedbee8fca1c995594e754475400ecfed26eba44151d
SHA512815e6d4cd2aa2a916c7fc385b6a403ac952022bb650e86dab97a8e046da7f39e4059e822f726b92dfad008851e42d930267487680a77d3c924a502549d8db853
-
Filesize
52KB
MD5876a2a99b81968f5b26e3cbe12063d2b
SHA17afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1
-
Filesize
297B
MD545dc5582860c3591de1a78a70bb8cd9e
SHA1a3ced7a8f5d29f902c6918f6be0f0977a12db90a
SHA256c1f05731d3bfd34d0eab593a6628bcb006ae2a69811487c68d7e3c1957adb729
SHA512e94428bca22732e3495c0a0db25fc6cebd2f4d6a61c5d88a0d4e3da562dd93e1a2cae727e509e1e780f8303563ca00c64ae900cf435172e284aae07029686afc
-
Filesize
497KB
MD5ee060f1825be1963a3d8b11ff77a8bd6
SHA109e1e64be05abaaca46e621cd1805e48d6fb4da3
SHA2562495982fc8826ae508684e9a5a8a6fec0b46f090003ef9ee41646645b10d6af0
SHA5121b6d48073d97b5ece74e9db4950c0c9cd6b19dc2c351808959070d1fa0053bc67b4b0f06a1b792a35d4baf98de4161c524b6bc1d77459c4b3c4d27ceeb3630ac