Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 00:42
Behavioral task
behavioral1
Sample
b35035bbd115f5f28813d27c854f5bf0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b35035bbd115f5f28813d27c854f5bf0N.exe
Resource
win10v2004-20240802-en
General
-
Target
b35035bbd115f5f28813d27c854f5bf0N.exe
-
Size
33KB
-
MD5
b35035bbd115f5f28813d27c854f5bf0
-
SHA1
14a3982401ea7bb7070763854fa3f26165b0364d
-
SHA256
693219a75775769bc379b9179c3e7e87fe9058d9e10acf15372657a37df7f3f1
-
SHA512
aaf62b99ad99ee085f62b172588354ba33abddc3bbf32c2d3e4c3211aa848fbe1de1631425074bb4178d2a77e9d77d0c0878f0f27ecf14f75a2655a144287b3b
-
SSDEEP
768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewzKO5/V:QuQRylaUDTDxDXjy6AB7koYy2T/
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" obxetok-osor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" obxetok-osor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" obxetok-osor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" obxetok-osor.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5044495A-4b56-5158-5044-495A4B565158}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" obxetok-osor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5044495A-4b56-5158-5044-495A4B565158}\IsInstalled = "1" obxetok-osor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5044495A-4b56-5158-5044-495A4B565158}\StubPath = "C:\\Windows\\system32\\arxoopid-adoab.exe" obxetok-osor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5044495A-4b56-5158-5044-495A4B565158} obxetok-osor.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe obxetok-osor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" obxetok-osor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\bvufuc-ucom.exe" obxetok-osor.exe -
Executes dropped EXE 2 IoCs
pid Process 2096 obxetok-osor.exe 3040 obxetok-osor.exe -
Loads dropped DLL 3 IoCs
pid Process 2976 b35035bbd115f5f28813d27c854f5bf0N.exe 2976 b35035bbd115f5f28813d27c854f5bf0N.exe 2096 obxetok-osor.exe -
resource yara_rule behavioral1/memory/2976-0-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/files/0x000c000000012248-4.dat upx behavioral1/memory/2976-11-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/3040-25-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/2096-44-0x0000000000400000-0x0000000000417000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "24064" obxetok-osor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "24064" obxetok-osor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "24064" obxetok-osor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "24064" obxetok-osor.exe -
description ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger obxetok-osor.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" obxetok-osor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} obxetok-osor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify obxetok-osor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" obxetok-osor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ohpifec-ubac.dll" obxetok-osor.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File created C:\Windows\SysWOW64\obxetok-osor.exe b35035bbd115f5f28813d27c854f5bf0N.exe File created C:\Windows\SysWOW64\bvufuc-ucom.exe obxetok-osor.exe File created C:\Windows\SysWOW64\arxoopid-adoab.exe obxetok-osor.exe File created C:\Windows\SysWOW64\ohpifec-ubac.dll obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\obxetok-osor.exe obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\arxoopid-adoab.exe obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\rmass.exe obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\ntdbg.exe obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\gymspzd.dll obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\bvufuc-ucom.exe obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\winrnt.exe obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\obxetok-osor.exe b35035bbd115f5f28813d27c854f5bf0N.exe File opened for modification C:\Windows\SysWOW64\ohpifec-ubac.dll obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\aset32.exe obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\ahuy.exe obxetok-osor.exe File opened for modification C:\Windows\SysWOW64\idbg32.exe obxetok-osor.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\gymspzd.dll obxetok-osor.exe File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe obxetok-osor.exe File opened for modification C:\Program Files (x86)\Common Files\System\rmass.exe obxetok-osor.exe File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe obxetok-osor.exe File opened for modification C:\Program Files (x86)\Common Files\System\ahuy.exe obxetok-osor.exe File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe obxetok-osor.exe File opened for modification C:\Program Files (x86)\Common Files\System\ntdbg.exe obxetok-osor.exe File opened for modification C:\Program Files (x86)\Common Files\System\RECOVER32.DLL obxetok-osor.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b35035bbd115f5f28813d27c854f5bf0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obxetok-osor.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 3040 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe 2096 obxetok-osor.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2976 b35035bbd115f5f28813d27c854f5bf0N.exe Token: SeDebugPrivilege 2096 obxetok-osor.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2096 2976 b35035bbd115f5f28813d27c854f5bf0N.exe 30 PID 2976 wrote to memory of 2096 2976 b35035bbd115f5f28813d27c854f5bf0N.exe 30 PID 2976 wrote to memory of 2096 2976 b35035bbd115f5f28813d27c854f5bf0N.exe 30 PID 2976 wrote to memory of 2096 2976 b35035bbd115f5f28813d27c854f5bf0N.exe 30 PID 2096 wrote to memory of 432 2096 obxetok-osor.exe 5 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 3040 2096 obxetok-osor.exe 31 PID 2096 wrote to memory of 3040 2096 obxetok-osor.exe 31 PID 2096 wrote to memory of 3040 2096 obxetok-osor.exe 31 PID 2096 wrote to memory of 3040 2096 obxetok-osor.exe 31 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21 PID 2096 wrote to memory of 1184 2096 obxetok-osor.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\b35035bbd115f5f28813d27c854f5bf0N.exe"C:\Users\Admin\AppData\Local\Temp\b35035bbd115f5f28813d27c854f5bf0N.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\obxetok-osor.exe"C:\Windows\system32\obxetok-osor.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\obxetok-osor.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3040
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5162c2143e7bd3e1ac69cc4624c1b47aa
SHA149c0a079e5cb5620a6974661d7e16f4ed3475209
SHA25639751381133b5b7a4175678d2afa57ea7f40054171951de243afb5364592b837
SHA51292a2b478e5059da3ae048e6e67bf082fbeea08eff11a335ad2c2a61b4348ca31321df9edffd2969ce077bbc597cb821693737f8fe5a7b1ef4c56efc55f0215a1
-
Filesize
37KB
MD5076294d9a243534fb89d8b8f075b4949
SHA1b12b9b2d405c623e85b8002d099e6224413d0644
SHA25611bcd3a748d6784ba41656104f85e337125a9d8a47836ba5d0e1c09217581bd6
SHA512415e00e62dfa92f35ab2721296570b0ffde099805618d4144654499c844cc49d4d78de2540340f47429c81542e46dc69d44b0b9c7cdd6fff6ee264153e2f2275
-
Filesize
5KB
MD5c8521a5fdd1c9387d536f599d850b195
SHA1a543080665107b7e32bcc1ed19dbfbc1d2931356
SHA256fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5
SHA512541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd
-
Filesize
33KB
MD5b35035bbd115f5f28813d27c854f5bf0
SHA114a3982401ea7bb7070763854fa3f26165b0364d
SHA256693219a75775769bc379b9179c3e7e87fe9058d9e10acf15372657a37df7f3f1
SHA512aaf62b99ad99ee085f62b172588354ba33abddc3bbf32c2d3e4c3211aa848fbe1de1631425074bb4178d2a77e9d77d0c0878f0f27ecf14f75a2655a144287b3b