Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 02:18
Static task
static1
Behavioral task
behavioral1
Sample
b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
Resource
win10v2004-20240709-en
General
-
Target
b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
-
Size
1.4MB
-
MD5
f2af0cf68dfd2a651cc66ad92ea4524a
-
SHA1
95ccb921e2f012b426ee89b1901b28ef661d93eb
-
SHA256
b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74
-
SHA512
4cade9d6e64030d5bfb1dffe451efbba70c8c1a7d77b945fdd364870773504c634efc3a662b1ae2b2ceb1c39939a47efbb545ba65a1c634330df181119fac198
-
SSDEEP
24576:T9cdOqX1uuMliQzd4mNy9Sh5hJgpiwVQLJaOSZ4LehoZza9gNWmAO5ehlM+:T9UX1uBx4mYo83vOSeyeaKrE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1964 explorer.exe 2656 spoolsv.exe 2792 svchost.exe 2704 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2380 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 2380 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 1964 explorer.exe 1964 explorer.exe 2656 spoolsv.exe 2656 spoolsv.exe 2792 svchost.exe 2792 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs
pid Process 2380 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 1964 explorer.exe 1964 explorer.exe 2656 spoolsv.exe 2792 svchost.exe 2704 spoolsv.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2380 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 1964 explorer.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe 2792 svchost.exe 1964 explorer.exe 2792 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1964 explorer.exe 2792 svchost.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 2380 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 2380 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 2380 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 1964 explorer.exe 1964 explorer.exe 1964 explorer.exe 2656 spoolsv.exe 2656 spoolsv.exe 2656 spoolsv.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2704 spoolsv.exe 2704 spoolsv.exe 2704 spoolsv.exe 1964 explorer.exe 1964 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1964 2380 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 30 PID 2380 wrote to memory of 1964 2380 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 30 PID 2380 wrote to memory of 1964 2380 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 30 PID 2380 wrote to memory of 1964 2380 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 30 PID 1964 wrote to memory of 2656 1964 explorer.exe 31 PID 1964 wrote to memory of 2656 1964 explorer.exe 31 PID 1964 wrote to memory of 2656 1964 explorer.exe 31 PID 1964 wrote to memory of 2656 1964 explorer.exe 31 PID 2656 wrote to memory of 2792 2656 spoolsv.exe 32 PID 2656 wrote to memory of 2792 2656 spoolsv.exe 32 PID 2656 wrote to memory of 2792 2656 spoolsv.exe 32 PID 2656 wrote to memory of 2792 2656 spoolsv.exe 32 PID 2792 wrote to memory of 2704 2792 svchost.exe 33 PID 2792 wrote to memory of 2704 2792 svchost.exe 33 PID 2792 wrote to memory of 2704 2792 svchost.exe 33 PID 2792 wrote to memory of 2704 2792 svchost.exe 33 PID 2792 wrote to memory of 2580 2792 svchost.exe 35 PID 2792 wrote to memory of 2580 2792 svchost.exe 35 PID 2792 wrote to memory of 2580 2792 svchost.exe 35 PID 2792 wrote to memory of 2580 2792 svchost.exe 35 PID 2792 wrote to memory of 652 2792 svchost.exe 37 PID 2792 wrote to memory of 652 2792 svchost.exe 37 PID 2792 wrote to memory of 652 2792 svchost.exe 37 PID 2792 wrote to memory of 652 2792 svchost.exe 37 PID 2792 wrote to memory of 2912 2792 svchost.exe 39 PID 2792 wrote to memory of 2912 2792 svchost.exe 39 PID 2792 wrote to memory of 2912 2792 svchost.exe 39 PID 2792 wrote to memory of 2912 2792 svchost.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe"C:\Users\Admin\AppData\Local\Temp\b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2704
-
-
C:\Windows\SysWOW64\at.exeat 02:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:2580
-
-
C:\Windows\SysWOW64\at.exeat 02:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:652
-
-
C:\Windows\SysWOW64\at.exeat 02:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:2912
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a055859c68317abbf638188e9da7f865
SHA1715fc993f2a350a774d1da92b441fa05fbf37672
SHA256c946ba7a05f049f7c3f1c39951f5cc7e97a2899a3e66e72d102409f6cb52c089
SHA512920bc7771101d8abbd8462f1eafb1db37cd7a4e69fd254af5d51a1a7bb37caf1c185b55363927d20f350de9014ba826296144ede044c6e910306294e65060548
-
Filesize
1.4MB
MD52f7653ab9559e51b7ba70e750bd04135
SHA1af69b730cea9bd9b82066a21c134a60e6b6fa50a
SHA2562d212e68f07c7f6f8b57f14c47126a4846c2ea2989ef57e3c7b4f6553c098ecd
SHA5122eec9367ea7f467039b0f946f9caa69593d873bb9afa0675ab5be484820e7b301d67f34696629248b55801cf633c8fda68577d6e5c595c523422e05875776029
-
Filesize
1.4MB
MD5bb815d49b39c7949e9a52ee2bfee49ab
SHA18606ad91194d59f77423df4ad5c9857706fc227e
SHA256fe377b62078dc5c8392ef150ab1a069855b4fe2ee307deff3096f8239cf32e61
SHA5124fdd68f0e503e9c2d89e9f5d0f78f6409ff36920015a16c5998f20ce123d6cea63feff9509ecd5971f78ce77615f8936c4fd1cfd6ce9cdea096bfea7b4f806f4
-
Filesize
1.4MB
MD5c8595d45355e5587214b546774582bf9
SHA10db75c1c96e7e08b7e519836e3aa4801276cae52
SHA2560b142be2a52005fe0b5a5345525f36ee033ce56dbbb8e77608609742c5581a62
SHA512ffa87d9aad1e487092a267aeef713e58519baae70d4dab6b26031c119594c60623ccff61406d7f7eaa91c86b4a0eb2c1635bf28e4e0d88f287d21cda8283e829