Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 03:31

General

  • Target

    a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe

  • Size

    211KB

  • MD5

    e5dc0d2edb9217f61b178e4fb33c1e56

  • SHA1

    b2c26b273efa8eef307e73b3ded8e28e1b4f388e

  • SHA256

    a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c

  • SHA512

    9f82a43d302cf35cfd1392bc8f3acdbae7b12d4506ecac1158324c77e5bdc334e1b151b8e3749990fa3f93aa8d4451066a21a552ac11e1ae6d6cffc91767faaf

  • SSDEEP

    3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1FqnC:b1iNKQxENHLfMgw7y9Zr/

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
    "C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2972
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2852
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2700
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2704
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe

    Filesize

    211KB

    MD5

    2db5b6a2b2881252594557c1f2cecc3a

    SHA1

    784cc457c7a93b673a66b7b198aaebc51a32f8dd

    SHA256

    b5ee0b2f2450d5f093874e1d5f0b06d1ed4e5c219e93833bd8b7ab35bb3d61fd

    SHA512

    94dbc37f2064ed9694053289f688ab6552acf69bc761d5ea95651a6f5ab96b7c5391b9fc4b9df61fec354cafda6efc047d25321dce669a4c04136439d740baa4

  • C:\Windows\spoolsw.exe

    Filesize

    211KB

    MD5

    af11400a83e2a8650e2ff5be7434a287

    SHA1

    2c4969a988e8914ed95a841618d5e8cf0b4f4ded

    SHA256

    5a83488ddbb422de24fbb62d2f73f5d1ae971f51a582e31bd0e383b89393a39b

    SHA512

    6eccbb0f4bf5c05f5a07d8856ff3ba827f402957c22ebbc3e3ec1ae7f462dffec7b20fa149da5415f56c2e8750b805128f83b3027ae0583c41319b0df63a738a

  • C:\Windows\swchost.exe

    Filesize

    211KB

    MD5

    a85ad836447a3f8b768b0537844c047f

    SHA1

    c853c0df50ceea98a6f4860278e137c8507a4dde

    SHA256

    4753e672a4037152cf9e79d9d092ce4086a3889e24adcda9f6b2fdcf16dc9264

    SHA512

    f3ff93395e19443c5857144da52fc247d88ed09cb8c4f00c9982eb40b3e6bbfd39a321fa734dd1efcd4b32968b858c0c3d779dd4e7cad34af3994aaffa5b63b0

  • C:\Windows\userinit.exe

    Filesize

    211KB

    MD5

    6437dcc0d2ed48e543f83446fd5a3fa1

    SHA1

    1e040da8dd2c6af0f56b9578d972707b6f38d2a7

    SHA256

    9d649bc2d40044425d545c19ddf952d52baf000711ea6c33223bf05d97a6814c

    SHA512

    11dba6b51b10e93b71f869bad5247a0188eac5905899db0b34c533c8769235d3d06dfd02d5418b2eab227cb2f6207d3174e7839f45e031d11e76e3299f1013ec