Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
27/07/2024, 00:46
General
-
Target
SetWindowsHook.exe
-
Size
418KB
-
MD5
09a00f3eb6d7f5c01d158eb17e904be8
-
SHA1
fd4d59c010049f4bcd501c5edb64342d13c0a674
-
SHA256
1a5d44cf8fb61f5db36d2e7d4b27f7ddb4a4896993b1b27a065ee2ec0aafdfba
-
SHA512
a9e3ee4cbf73b5c8c8b0821c920d6c4c59b924069ac072e3840189a4b36a17adf808a8486b7d8caad0daf8e17a1803d6e034b9774f4f64084cfd10749b165a76
-
SSDEEP
12288:mpSi+MuPVQyz21vhljSXrZnuvserfR1yCk8V0:mMi+M25z21vDv3L/yCk8a
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 24 IoCs
-
Suspicious use of SendNotifyMessage 21 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SetWindowsHook.exe"C:\Users\Admin\AppData\Local\Temp\SetWindowsHook.exe"1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CompleteEdit.au"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.0.1202735144\469525601" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1172 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4046e71-9285-46cc-a4c2-b7f3f8dede03} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 1304 42d3958 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.1.1804457406\371224240" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {379d9226-b539-4f76-b413-fd29cfb37a93} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 1508 d72b58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.2.1430985713\654420346" -childID 1 -isForBrowser -prefsHandle 2240 -prefMapHandle 2236 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdaf9579-f73b-41bc-af04-7b60bdc9b822} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2252 1ae99558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.3.1087687265\1627055315" -childID 2 -isForBrowser -prefsHandle 2508 -prefMapHandle 2504 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb001186-1d76-45d9-9e67-5503b87136f2} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2480 d68d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.4.1544825797\995632767" -childID 3 -isForBrowser -prefsHandle 2860 -prefMapHandle 2864 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {127d155a-77c5-43e3-aeba-e7360be66042} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 2876 1cf38e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.5.283864226\990826080" -childID 4 -isForBrowser -prefsHandle 3868 -prefMapHandle 3008 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {144a24b9-433a-4b82-8a50-b232e79d13f0} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 3880 1dbc9c58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.6.791972756\1196008665" -childID 5 -isForBrowser -prefsHandle 3992 -prefMapHandle 3996 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8790f3f8-5223-4ce0-82b4-2d598cd66800} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 3864 1dbf2e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.7.2079507931\1148592381" -childID 6 -isForBrowser -prefsHandle 3908 -prefMapHandle 4152 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae5fdafd-8c54-4abf-a270-a838bf5e17e5} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 4252 1ed95a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.8.1473660559\1000001111" -childID 7 -isForBrowser -prefsHandle 4436 -prefMapHandle 4428 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fe5e588-f96d-4232-8b63-be6373f58d1d} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 4464 2244de58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2424.9.1858372973\1137217325" -childID 8 -isForBrowser -prefsHandle 4648 -prefMapHandle 4588 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 912 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64b8cc4e-e63c-4108-aa9b-03c963752014} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" 4636 2244e158 tab3⤵
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ClearMove.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde /n1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe"C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD50fe5d25b76e9406c34be4d4f47200f4b
SHA1bfe846c698955421fa3ab5e7d30e1a587e1d14a0
SHA256929fa30d1a27caefaa40e01661518ba8e0429fb81adc7367993fe6efbcadb0c3
SHA5129af3437559ad6bd15288fa66f282f4f06b7ad04ff32bfbf43b1f7c9e22f0c3d3d31db5b238f74fe98d270f61abc4551fdc4986f5247fcdf91d23bafda7f6615c
-
Filesize
218KB
MD5e7c83b4c9e0a6d15cedc08c781becec4
SHA139d59727f4605cf5f5352d1644badcad617fe277
SHA2568efaa34435d088e5c4b1eeb96b11f769bf854c4a5f305233401e73c8ed7c4647
SHA51251a36733f0f78d545e84c3f09b4385c4eac811b5f1ac9a7bd36df283eddca73736fc7baee3b26a84b68ba372b7fe7d31e3b2b3e7f533921e2f124a94be24e621
-
Filesize
449B
MD51b0d510b36e8cc9e60093a5eb99938cc
SHA166bfeb915cc6b922d1c4160db5fec335d9db3e0b
SHA2566dd3fe1b06f12c8b0ac8d8b140c7b5913cadf1d9d57f0069367f87aca372c499
SHA5123edb949845c288d89b7d615352aa37ba703989a6db8250434fef072b1e2f79eb47c22bc2b4e5321b8bbd64d395afc8785aae17813f78433a4e14027e3fd75332
-
Filesize
19KB
MD518669bd8b12f3efd0d5c2e2c27cc5f40
SHA1fd334e4761dea1406523e88493d5f1fd5ef79db4
SHA25618d0d0e56dc19b7bad6b245cdd00d01c100d36b2f5e830de78249942149cef7d
SHA5127bad6cfd8583b3fe1c81cc66df1c93e86060889607224d4681ef68a564d38182a68fba5d6dc68e2618878b725d4a4fee2c897c25f37d9f7f400f40024ab73ede
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
9KB
MD5b0e05f7127b8dc932decb94519adc0d9
SHA12e6a2511e83a7d81ff795549df3a876dd528e396
SHA256c96f77666fe136495b02a577e065e219218210021be9788512a0f1d226254fa3
SHA512baf9f63bde0b7756eb36a023cdce733c436b7648e17da0232fa9d0e6e60c20012e627f91bef12830ec7f969284e1c48154a40111d2b5157207683a824d160809
-
Filesize
733B
MD571042fed71850725878f526843887e2b
SHA189143d8f827bbd565625d2f86d50f141cc857fd1
SHA256b8e2825a800e86db671ecb55b2e3b9ea0130e2eb50abb29c49cccc079815ae7e
SHA512086a4628105460b874d43ab7365174073bc8c64d59cafb9f452d4f43e40431ec9a688d283f278c648db15be7e1d47143c4bd26e6186a46ca260bb3580259f915
-
Filesize
6KB
MD51f94f05ad9ae300e95986be21e39889b
SHA1dc7eeb22ef4b88beb7884ed678455316a50732ee
SHA256e9328ed12afe3d8e0309a0fbdea721a46064abd14b238eacffdadb02d326daee
SHA5127b804d4fecadfee384d170fb449e0aa6b7991da2dc63beb03843255e2be62ff28e8ec84ab2006fd855df5caff986d09f23b547574edab61449b3b08728f7d3f1
-
Filesize
3KB
MD5cb83032ebb5e714c012f092609df5ede
SHA14e6a27926c04d63974d39c194c2a2d15e42b1f2c
SHA256eb86d9ce165d14893f2383932713123a8e4ca17ede2d012e88ba61b95fe87454
SHA51278a6f3bc00c07d24b31bb7a51a7b57c73cc5be615bb758b400787a8ece1574f79ced8a0730f206af6e1cdaf4a282515fd71576483ec8d40edaba052f9af1a1f9
-
Filesize
3KB
MD51bdc18b15aabeb5f24c4820d7416d4ae
SHA170fd5c9abade4ce8b4239342cb054fd6fef6b268
SHA2569d3b7e177a9f9f9f6e99f5037e9f5d4e9925186af73c46973b11ec50e996cb72
SHA512476eff6358a8fc6c25769405fe94cc4ca13b1119e8eb7b056ed7af8ef87fd7ad9aeb8268c8ffc025bafda99bb97573d815fff60c9eeef60c4d5bdf91cbc6ba11
-
Filesize
76B
MD534e7236a6c0e7b4bd1e6a5b2cd5d88dd
SHA11a1c8c9f33735c8dcac4167643bd089d692baf78
SHA256aec0cfa5ea18a92a4148a15ebe46deefcb4b19210f110ff33fa167170908aebd
SHA512a013ec7deffc5654edcc6a3a6825bae958636f4ea85d1e744beeddf5e3f0b1c75eaf3ff65f222c887f7e6c52eaf97ed06b5f3dcdd3e44454a22524c34a251ad7
-
Filesize
96KB
-
Filesize
132KB
-
Filesize
208KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
108KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
72KB
-
Filesize
140KB
-
Filesize
96KB
-
Filesize
144KB
-
Filesize
160KB
-
Filesize
348KB
-
Filesize
68KB
-
Filesize
412KB
-
Filesize
192KB
-
Filesize
96KB
-
Filesize
16.7MB
-
Filesize
2.0MB
-
Filesize
260KB
-
Filesize
496KB
-
Filesize
992KB
-
Filesize
208KB
-
Filesize
2.7MB
-
Filesize
16.7MB
-
Filesize
68KB
-
Filesize
116KB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
2.7MB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
992KB
-
Filesize
96KB
-
Filesize
520KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
64KB