Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
19s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240704-it -
resource tags
arch:x64arch:x86image:win7-20240704-itlocale:it-itos:windows7-x64systemwindows -
submitted
14/08/2024, 15:44
Static task
static1
Behavioral task
behavioral1
Sample
idapro.exe
Resource
win7-20240704-it
Behavioral task
behavioral2
Sample
idapro.exe
Resource
win10v2004-20240802-it
Errors
General
-
Target
idapro.exe
-
Size
327KB
-
MD5
0ed74836af595a75d959e703e98f3735
-
SHA1
f48fe1347528b1bcc210a90c60e93300ddfb1c31
-
SHA256
3b14f10b8cd5c55d405785829bf2e8e4917fe1ac432ec0a376b2b4621314686c
-
SHA512
dd5bb6e6c2674b8b2de6b22c0f7cc051303592d0fd50e14c8452988646760c907c9650e5b7ab594027e01faa9216f2b865b5ab015f34d92e62d51373f8152fbe
-
SSDEEP
6144:UsLqdufVUNDa+anxutqrmxBpwrWlTKh4Qffn2n:PFUNDa+axuS+waZ84
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 7 IoCs
pid Process 2804 idapro.exe 2788 icsys.icn.exe 2624 explorer.exe 2652 spoolsv.exe 2668 svchost.exe 3036 spoolsv.exe 2888 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2724 idapro.exe 2724 idapro.exe 2864 Process not Found 2788 icsys.icn.exe 2624 explorer.exe 2652 spoolsv.exe 2668 svchost.exe 2624 explorer.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "c:\\windows\\resources\\themes\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Svchost = "c:\\windows\\resources\\svchost.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "c:\\windows\\resources\\themes\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Svchost = "c:\\windows\\resources\\svchost.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe idapro.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language idapro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1524 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2724 idapro.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2624 explorer.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2624 explorer.exe 2668 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2724 idapro.exe 2724 idapro.exe 2788 icsys.icn.exe 2788 icsys.icn.exe 2624 explorer.exe 2624 explorer.exe 2652 spoolsv.exe 2652 spoolsv.exe 2668 svchost.exe 2668 svchost.exe 3036 spoolsv.exe 3036 spoolsv.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2724 wrote to memory of 2804 2724 idapro.exe 30 PID 2724 wrote to memory of 2804 2724 idapro.exe 30 PID 2724 wrote to memory of 2804 2724 idapro.exe 30 PID 2724 wrote to memory of 2804 2724 idapro.exe 30 PID 2724 wrote to memory of 2788 2724 idapro.exe 32 PID 2724 wrote to memory of 2788 2724 idapro.exe 32 PID 2724 wrote to memory of 2788 2724 idapro.exe 32 PID 2724 wrote to memory of 2788 2724 idapro.exe 32 PID 2788 wrote to memory of 2624 2788 icsys.icn.exe 33 PID 2788 wrote to memory of 2624 2788 icsys.icn.exe 33 PID 2788 wrote to memory of 2624 2788 icsys.icn.exe 33 PID 2788 wrote to memory of 2624 2788 icsys.icn.exe 33 PID 2624 wrote to memory of 2652 2624 explorer.exe 34 PID 2624 wrote to memory of 2652 2624 explorer.exe 34 PID 2624 wrote to memory of 2652 2624 explorer.exe 34 PID 2624 wrote to memory of 2652 2624 explorer.exe 34 PID 2652 wrote to memory of 2668 2652 spoolsv.exe 35 PID 2652 wrote to memory of 2668 2652 spoolsv.exe 35 PID 2652 wrote to memory of 2668 2652 spoolsv.exe 35 PID 2652 wrote to memory of 2668 2652 spoolsv.exe 35 PID 2668 wrote to memory of 3036 2668 svchost.exe 36 PID 2668 wrote to memory of 3036 2668 svchost.exe 36 PID 2668 wrote to memory of 3036 2668 svchost.exe 36 PID 2668 wrote to memory of 3036 2668 svchost.exe 36 PID 2624 wrote to memory of 492 2624 explorer.exe 37 PID 2624 wrote to memory of 492 2624 explorer.exe 37 PID 2624 wrote to memory of 492 2624 explorer.exe 37 PID 2624 wrote to memory of 492 2624 explorer.exe 37 PID 2668 wrote to memory of 1524 2668 svchost.exe 38 PID 2668 wrote to memory of 1524 2668 svchost.exe 38 PID 2668 wrote to memory of 1524 2668 svchost.exe 38 PID 2668 wrote to memory of 1524 2668 svchost.exe 38 PID 2624 wrote to memory of 2888 2624 explorer.exe 42 PID 2624 wrote to memory of 2888 2624 explorer.exe 42 PID 2624 wrote to memory of 2888 2624 explorer.exe 42 PID 2624 wrote to memory of 2888 2624 explorer.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\idapro.exe"C:\Users\Admin\AppData\Local\Temp\idapro.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\users\admin\appdata\local\temp\idapro.exec:\users\admin\appdata\local\temp\idapro.exe2⤵
- Executes dropped EXE
PID:2804
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:46 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1524
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:492
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
PID:2888
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1728
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2460
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD505d5875e19e172b49adc9d0f04ccae46
SHA1c2f617a38218ed18ac5350416789de87ccfa4606
SHA256c595e3530c8f93a8021ef1e23ce9031c1a989cda64dc9b51e8ee49ceec4e275c
SHA512311cbd9eb728b42122b6d7e44c6a2dd5299c664fda3119e7c88adb12d1e42f9a347d330e1bd5999391c7fa5870a0ce6a712b7274a688c1687d666a04998bf7a8
-
Filesize
135KB
MD597fb807872b1491b1b651ca01b7b44e5
SHA12a1c76699e60f4c68bfbcddb4fdf7bb0c03c2022
SHA2562c817462143f75605819bda44f7086aaad80e798e3445e275afa34a834cc539f
SHA51212ff80d7b1bcbf9df88aa767bdd093f98cc293092325fae4a4967a9a497678b84a9828069ce5abbbbf4fbcc2751fbfedf8c3ace84b7e52fd003f369ecb1c40f5
-
Filesize
135KB
MD586ffadfb7aede1665b2cc6824ca7e0b7
SHA14cf1e686c88b44e0becc99714cccdc97bf05483b
SHA256e599fc27c331701c45cc4384465da66c050dcfd999ee9e0ab17143bff7d8ce18
SHA512a40e176b749502e1b8d95791d98bf11641adbfec09586189452c9c9e0aa9f52e66f125972503a9b6f82615f95bb3045c1798939a1a3b3e79b932fa9987c1d74f
-
Filesize
135KB
MD51bc1a081ec2bed4975fee76d840302e3
SHA18934e6391e0af1bf4c3813e29e3dea50d1dc425e
SHA256ef5215df85ff8c6538e06f0130b19134aab2ad2b9552a63ddb4dad62d1e995ac
SHA5124d9ed09fe89d765244e71f6a612870a38c901458ede7213935c2261a9303165652b51f63e6101a8cea70b4163213c5879ec6b6c76cf4e82200d54996f9e32373
-
Filesize
135KB
MD52e96e615382bd6905f8e8a31d2237503
SHA1227ee3c93c2cc2c08ace0ca3379dbe6582bbcadc
SHA256bddb2f1c4187c2d695bbe28486d027947fddf58244ac6634df29554e4c60598f
SHA512660ac75eac6f17ea7547fa9beca5ec3eb9926d724c82238682e6852f5c070657dd5f5be46bb68cd4d828abe3f87fa1d0f0d4b80c918774641c0322e3a962c628