Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 03:31
Static task
static1
Behavioral task
behavioral1
Sample
a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
Resource
win10v2004-20240802-en
General
-
Target
a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
-
Size
211KB
-
MD5
e5dc0d2edb9217f61b178e4fb33c1e56
-
SHA1
b2c26b273efa8eef307e73b3ded8e28e1b4f388e
-
SHA256
a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c
-
SHA512
9f82a43d302cf35cfd1392bc8f3acdbae7b12d4506ecac1158324c77e5bdc334e1b151b8e3749990fa3f93aa8d4451066a21a552ac11e1ae6d6cffc91767faaf
-
SSDEEP
3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1FqnC:b1iNKQxENHLfMgw7y9Zr/
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2852 userinit.exe 2700 spoolsw.exe 2704 swchost.exe 2572 spoolsw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\userinit.exe a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe File opened for modification \??\c:\windows\spoolsw.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe spoolsw.exe File opened for modification \??\c:\windows\userinit.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe swchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2972 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 2852 userinit.exe 2852 userinit.exe 2852 userinit.exe 2704 swchost.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe 2852 userinit.exe 2704 swchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2852 userinit.exe 2704 swchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2972 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 2972 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 2852 userinit.exe 2852 userinit.exe 2700 spoolsw.exe 2700 spoolsw.exe 2704 swchost.exe 2704 swchost.exe 2572 spoolsw.exe 2572 spoolsw.exe 2852 userinit.exe 2852 userinit.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2852 2972 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 32 PID 2972 wrote to memory of 2852 2972 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 32 PID 2972 wrote to memory of 2852 2972 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 32 PID 2972 wrote to memory of 2852 2972 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 32 PID 2852 wrote to memory of 2700 2852 userinit.exe 33 PID 2852 wrote to memory of 2700 2852 userinit.exe 33 PID 2852 wrote to memory of 2700 2852 userinit.exe 33 PID 2852 wrote to memory of 2700 2852 userinit.exe 33 PID 2700 wrote to memory of 2704 2700 spoolsw.exe 34 PID 2700 wrote to memory of 2704 2700 spoolsw.exe 34 PID 2700 wrote to memory of 2704 2700 spoolsw.exe 34 PID 2700 wrote to memory of 2704 2700 spoolsw.exe 34 PID 2704 wrote to memory of 2572 2704 swchost.exe 35 PID 2704 wrote to memory of 2572 2704 swchost.exe 35 PID 2704 wrote to memory of 2572 2704 swchost.exe 35 PID 2704 wrote to memory of 2572 2704 swchost.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe"C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\windows\userinit.exec:\windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\windows\swchost.exec:\windows\swchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2572
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD52db5b6a2b2881252594557c1f2cecc3a
SHA1784cc457c7a93b673a66b7b198aaebc51a32f8dd
SHA256b5ee0b2f2450d5f093874e1d5f0b06d1ed4e5c219e93833bd8b7ab35bb3d61fd
SHA51294dbc37f2064ed9694053289f688ab6552acf69bc761d5ea95651a6f5ab96b7c5391b9fc4b9df61fec354cafda6efc047d25321dce669a4c04136439d740baa4
-
Filesize
211KB
MD5af11400a83e2a8650e2ff5be7434a287
SHA12c4969a988e8914ed95a841618d5e8cf0b4f4ded
SHA2565a83488ddbb422de24fbb62d2f73f5d1ae971f51a582e31bd0e383b89393a39b
SHA5126eccbb0f4bf5c05f5a07d8856ff3ba827f402957c22ebbc3e3ec1ae7f462dffec7b20fa149da5415f56c2e8750b805128f83b3027ae0583c41319b0df63a738a
-
Filesize
211KB
MD5a85ad836447a3f8b768b0537844c047f
SHA1c853c0df50ceea98a6f4860278e137c8507a4dde
SHA2564753e672a4037152cf9e79d9d092ce4086a3889e24adcda9f6b2fdcf16dc9264
SHA512f3ff93395e19443c5857144da52fc247d88ed09cb8c4f00c9982eb40b3e6bbfd39a321fa734dd1efcd4b32968b858c0c3d779dd4e7cad34af3994aaffa5b63b0
-
Filesize
211KB
MD56437dcc0d2ed48e543f83446fd5a3fa1
SHA11e040da8dd2c6af0f56b9578d972707b6f38d2a7
SHA2569d649bc2d40044425d545c19ddf952d52baf000711ea6c33223bf05d97a6814c
SHA51211dba6b51b10e93b71f869bad5247a0188eac5905899db0b34c533c8769235d3d06dfd02d5418b2eab227cb2f6207d3174e7839f45e031d11e76e3299f1013ec