Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 03:31
Static task
static1
Behavioral task
behavioral1
Sample
a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
Resource
win10v2004-20240802-en
General
-
Target
a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
-
Size
211KB
-
MD5
e5dc0d2edb9217f61b178e4fb33c1e56
-
SHA1
b2c26b273efa8eef307e73b3ded8e28e1b4f388e
-
SHA256
a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c
-
SHA512
9f82a43d302cf35cfd1392bc8f3acdbae7b12d4506ecac1158324c77e5bdc334e1b151b8e3749990fa3f93aa8d4451066a21a552ac11e1ae6d6cffc91767faaf
-
SSDEEP
3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1FqnC:b1iNKQxENHLfMgw7y9Zr/
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4524 userinit.exe 2120 spoolsw.exe 2180 swchost.exe 4064 spoolsw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\userinit.exe a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe File opened for modification \??\c:\windows\spoolsw.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe spoolsw.exe File opened for modification \??\c:\windows\userinit.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe swchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4948 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 4948 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 4524 userinit.exe 4524 userinit.exe 4524 userinit.exe 4524 userinit.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe 4524 userinit.exe 4524 userinit.exe 2180 swchost.exe 2180 swchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4524 userinit.exe 2180 swchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4948 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 4948 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 4524 userinit.exe 4524 userinit.exe 2120 spoolsw.exe 2120 spoolsw.exe 2180 swchost.exe 2180 swchost.exe 4064 spoolsw.exe 4064 spoolsw.exe 4524 userinit.exe 4524 userinit.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4948 wrote to memory of 4524 4948 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 87 PID 4948 wrote to memory of 4524 4948 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 87 PID 4948 wrote to memory of 4524 4948 a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe 87 PID 4524 wrote to memory of 2120 4524 userinit.exe 89 PID 4524 wrote to memory of 2120 4524 userinit.exe 89 PID 4524 wrote to memory of 2120 4524 userinit.exe 89 PID 2120 wrote to memory of 2180 2120 spoolsw.exe 90 PID 2120 wrote to memory of 2180 2120 spoolsw.exe 90 PID 2120 wrote to memory of 2180 2120 spoolsw.exe 90 PID 2180 wrote to memory of 4064 2180 swchost.exe 91 PID 2180 wrote to memory of 4064 2180 swchost.exe 91 PID 2180 wrote to memory of 4064 2180 swchost.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe"C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\windows\userinit.exec:\windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\windows\swchost.exec:\windows\swchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4064
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD58889e96c0b48b5bb0bb7700f71e7e1d6
SHA1e73b9db0a96248ae3a9df612f403ed6583a8a462
SHA256c105403f143d885f51824a90041f27d863066f8f332cc1b93a5786870af1bd83
SHA5124906b9f75fb17633d29a650c9bb1d5dc0d8ae2682c11843af7fa1331543a1f343989941144c2d8ddb287c88c1db20229f53aeb02e6938efb0ab5dc2c3e31fedd
-
Filesize
211KB
MD5cc637169fa787e73c6749f5de76a8c5e
SHA113ce00f1ff9b22777150e74365463656c246a422
SHA256cb3da288a7e5674a332a5635f6b35a97abb4534ed9187f061e69ca2b36702b0b
SHA5120e9686b23a0b5236be9f72f80de5d87fd5bc2e2271e07b24a6379a413b971f4b26b549764a4c647a9f3ab4e952eef8ea9c0b2c4556895cfa9b84d5093b59c4ef
-
Filesize
211KB
MD5ab598f21ffd5378a226e3bdfb042ed6b
SHA1759dee52399f47abeacf50c5beb6b84484fbc62e
SHA2568fc0e7cafa560da95915d4b3760a6bf198a47df1bd3681122c1492fc626ccb75
SHA512f066ac602ce845fcfe3c7e47b34c5d1b2b7ba5dd8d95b9e70abc13c39c56d85f33a7291947f0fbe29236a78e5ad1ef7f06cf6156905ef916ddb673af71539827
-
Filesize
211KB
MD5cd2df10cf30e39eaa424c91422bd0281
SHA17f8a3b67de23b90b86bc54ba32082a38dc336a93
SHA256b772058dbf0d290666258ef7a85d5a2707e235f9c82c7604cbe6163dbcc0e519
SHA5128a8a1964243749bdfbf6bc637b35343709e181140bcc3527981f146b6c00afe00aa3c3cdfe5932a23dbca075ab1d5790bc1f813c383195c61dd4a12c356e1877