Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 02:18
Static task
static1
Behavioral task
behavioral1
Sample
532ad1dca5ee84d4e717c45b39bb5480N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
532ad1dca5ee84d4e717c45b39bb5480N.exe
Resource
win10v2004-20240802-en
General
-
Target
532ad1dca5ee84d4e717c45b39bb5480N.exe
-
Size
135KB
-
MD5
532ad1dca5ee84d4e717c45b39bb5480
-
SHA1
e4fde9f8d9499513ddeda2c5a786592394358b5d
-
SHA256
a8610c46777dbdebb6813199f19ce94a3b225f6f69326985854d9cdde68f04ae
-
SHA512
e57a419418a9c3bd3167a1beed0dae4c42df99a4e0e4c7fef5c4f93b8c25d302441f7069bd33da5362d8a2da033e166f189bf86a0c36467cf263781bcb2cd526
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVA8:UVqoCl/YgjxEufVU0TbTyDDali8
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2800 explorer.exe 2832 spoolsv.exe 2828 svchost.exe 2700 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2800 explorer.exe 2832 spoolsv.exe 2828 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 532ad1dca5ee84d4e717c45b39bb5480N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 532ad1dca5ee84d4e717c45b39bb5480N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2976 schtasks.exe 2596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2828 svchost.exe 2800 explorer.exe 2828 svchost.exe 2800 explorer.exe 2828 svchost.exe 2800 explorer.exe 2828 svchost.exe 2800 explorer.exe 2800 explorer.exe 2828 svchost.exe 2828 svchost.exe 2800 explorer.exe 2800 explorer.exe 2828 svchost.exe 2800 explorer.exe 2828 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2800 explorer.exe 2828 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 2800 explorer.exe 2800 explorer.exe 2832 spoolsv.exe 2832 spoolsv.exe 2828 svchost.exe 2828 svchost.exe 2700 spoolsv.exe 2700 spoolsv.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2800 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 30 PID 2636 wrote to memory of 2800 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 30 PID 2636 wrote to memory of 2800 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 30 PID 2636 wrote to memory of 2800 2636 532ad1dca5ee84d4e717c45b39bb5480N.exe 30 PID 2800 wrote to memory of 2832 2800 explorer.exe 31 PID 2800 wrote to memory of 2832 2800 explorer.exe 31 PID 2800 wrote to memory of 2832 2800 explorer.exe 31 PID 2800 wrote to memory of 2832 2800 explorer.exe 31 PID 2832 wrote to memory of 2828 2832 spoolsv.exe 32 PID 2832 wrote to memory of 2828 2832 spoolsv.exe 32 PID 2832 wrote to memory of 2828 2832 spoolsv.exe 32 PID 2832 wrote to memory of 2828 2832 spoolsv.exe 32 PID 2828 wrote to memory of 2700 2828 svchost.exe 33 PID 2828 wrote to memory of 2700 2828 svchost.exe 33 PID 2828 wrote to memory of 2700 2828 svchost.exe 33 PID 2828 wrote to memory of 2700 2828 svchost.exe 33 PID 2800 wrote to memory of 2604 2800 explorer.exe 34 PID 2800 wrote to memory of 2604 2800 explorer.exe 34 PID 2800 wrote to memory of 2604 2800 explorer.exe 34 PID 2800 wrote to memory of 2604 2800 explorer.exe 34 PID 2828 wrote to memory of 2976 2828 svchost.exe 35 PID 2828 wrote to memory of 2976 2828 svchost.exe 35 PID 2828 wrote to memory of 2976 2828 svchost.exe 35 PID 2828 wrote to memory of 2976 2828 svchost.exe 35 PID 2828 wrote to memory of 2596 2828 svchost.exe 38 PID 2828 wrote to memory of 2596 2828 svchost.exe 38 PID 2828 wrote to memory of 2596 2828 svchost.exe 38 PID 2828 wrote to memory of 2596 2828 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\532ad1dca5ee84d4e717c45b39bb5480N.exe"C:\Users\Admin\AppData\Local\Temp\532ad1dca5ee84d4e717c45b39bb5480N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2700
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:20 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2976
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:21 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2596
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2604
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD55657472f50ffc45196e93599885d192e
SHA1929642867822da5e2bdda36125c9d5d2c85e3a35
SHA2569e53cd46156cddb4ad88d0fcb0ed1bbe21c53e1743cdf102cd1423a2a2a858c0
SHA512c73708c59dffbda0c1a000cc8c32b41501748086caafb5c1624c938358a0489819adef3509d4258a61c986775a2e8751a1e666e3ec7efbcf06058ae86586f60e
-
Filesize
135KB
MD5786750dbc9724b546a986163ddd3d989
SHA194b909adcbb0132176146c71054207df276dc4c5
SHA256ff54d36af3b0feb1cded2f1b7a5a14834d49a15b71fedbb0942f562b52db4fc7
SHA512f778e8ab8583a6048e88a4b03e6e58f6e08ab29244aea30cdf549d5c7d30bb9ca82025fec5b05974f345380d8f771a4c8ca2176baf35a36b1db2b079e19a290f
-
Filesize
135KB
MD5fabc42918a39e2fb79d68c33a92d60e6
SHA1d026b84720d3e5f603cfb6d181eb09d5ad659a26
SHA2563702b8f63d23f2372e0189a4c6198ba4f2bdf292834c3c36f23505fdc629e9fa
SHA51252b4777b382840694f6a866b96133751d3175e807bbcf1b156142e6e8b421a530b33070411be8222be4c77fa0fde5298aec349d13bd6cdd925452358369cf1b1