Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 19:42

General

  • Target

    7af6e87aae1bc84f65a5452f9c5f6270N.exe

  • Size

    206KB

  • MD5

    7af6e87aae1bc84f65a5452f9c5f6270

  • SHA1

    b86d0813931e37be32baddcf1e8e059bf3264694

  • SHA256

    b15f06fa931041555e97169ea70f8550f9f228326bc8ee9b2ee36b000922bada

  • SHA512

    74f916ded191d9c6a3f72fa31eca39727007d134f3ea25a279fe89de206f72d0209e0bacaa62423b49975b80c1beb4236b1d99fc140713755d94fbb116763e76

  • SSDEEP

    3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unS:5vEN2U+T6i5LirrllHy4HUcMQY6t

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe
    "C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2564
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2592
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2820
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2776
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2884
          • C:\Windows\SysWOW64\at.exe
            at 19:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2112
          • C:\Windows\SysWOW64\at.exe
            at 19:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\mrsys.exe

    Filesize

    206KB

    MD5

    2baed57dfe6ce1e9af4c4d16f14e77b9

    SHA1

    54c637e6a3de137dcb1443221a4e1b0669ce0973

    SHA256

    4103e953fc9237cdd7a603cb9ef6abebbfbd04c43c1d86f60799ce3f37e86d0f

    SHA512

    bef43567c5d7b13445ffaf2a96d58aec549fd88a22faf51e41f719d091adacf1aa8edc7e69de62b589ec0f155441796ac4057526fc62ed768eda6d4c3b4cb200

  • C:\Windows\system\svchost.exe

    Filesize

    206KB

    MD5

    4f8c85e897de63af76341592e766bbb1

    SHA1

    188547855752906030cf0a8e70c564049469e4eb

    SHA256

    859e475046f537778a68dc3b82c2fe7d33ca8a5d52982f2c656f25a139503205

    SHA512

    90bbcfa8eb129fdccf0b5cae6ef3124ac87de1acb2651b86bf9e7b576f76fc3bd732093183e6589eb1deabc11ec29b943c76143caa73f8349fd2860703ce7976

  • \Windows\system\explorer.exe

    Filesize

    206KB

    MD5

    f816b8e4d62597d09665f5e488488f7f

    SHA1

    6fa3f801db3ae1c12c9ce497073ba20ea03ddf0a

    SHA256

    b1537f3eedfb0fb2385e558df8583fa652a87fbd4be820115c0acc3d9716bbe6

    SHA512

    f5aee3ea3db6931c5e2d888a7f95cb47b57b3f59f388ab4539f994a787c901ca6e3aa017b43135ab1465cea2815500616c3a4475ee5fc9fef56f3c852f931be4

  • \Windows\system\spoolsv.exe

    Filesize

    207KB

    MD5

    f422ba8e2679637837e66d1cb59a95ac

    SHA1

    34b6d08d5da5ddffbab12cf26c8fa0ab22525e23

    SHA256

    c97219cef3af7a1dbd5c71daa5aaea676dbdbbb3786b5e3cde387ab0d31fe450

    SHA512

    9ded71c1e1445c1e2d762828319be0fbf1aaa0acef91334c13e0561df57fa84e850f80230b06f06baae895e77bdf0bd2151da8426ac6a02b605a9923e8ea4dbd

  • memory/2564-0-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2564-13-0x00000000026C0000-0x0000000002700000-memory.dmp

    Filesize

    256KB

  • memory/2564-54-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2592-56-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2776-57-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2820-53-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2884-50-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB