Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 19:42
Static task
static1
Behavioral task
behavioral1
Sample
7af6e87aae1bc84f65a5452f9c5f6270N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7af6e87aae1bc84f65a5452f9c5f6270N.exe
Resource
win10v2004-20240802-en
General
-
Target
7af6e87aae1bc84f65a5452f9c5f6270N.exe
-
Size
206KB
-
MD5
7af6e87aae1bc84f65a5452f9c5f6270
-
SHA1
b86d0813931e37be32baddcf1e8e059bf3264694
-
SHA256
b15f06fa931041555e97169ea70f8550f9f228326bc8ee9b2ee36b000922bada
-
SHA512
74f916ded191d9c6a3f72fa31eca39727007d134f3ea25a279fe89de206f72d0209e0bacaa62423b49975b80c1beb4236b1d99fc140713755d94fbb116763e76
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unS:5vEN2U+T6i5LirrllHy4HUcMQY6t
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2592 explorer.exe 2820 spoolsv.exe 2776 svchost.exe 2884 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2564 7af6e87aae1bc84f65a5452f9c5f6270N.exe 2564 7af6e87aae1bc84f65a5452f9c5f6270N.exe 2592 explorer.exe 2592 explorer.exe 2820 spoolsv.exe 2820 spoolsv.exe 2776 svchost.exe 2776 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 7af6e87aae1bc84f65a5452f9c5f6270N.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7af6e87aae1bc84f65a5452f9c5f6270N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2564 7af6e87aae1bc84f65a5452f9c5f6270N.exe 2592 explorer.exe 2592 explorer.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2776 svchost.exe 2592 explorer.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2776 svchost.exe 2592 explorer.exe 2592 explorer.exe 2776 svchost.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2776 svchost.exe 2592 explorer.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2776 svchost.exe 2592 explorer.exe 2592 explorer.exe 2776 svchost.exe 2592 explorer.exe 2776 svchost.exe 2776 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2592 explorer.exe 2776 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2564 7af6e87aae1bc84f65a5452f9c5f6270N.exe 2564 7af6e87aae1bc84f65a5452f9c5f6270N.exe 2592 explorer.exe 2592 explorer.exe 2820 spoolsv.exe 2820 spoolsv.exe 2776 svchost.exe 2776 svchost.exe 2884 spoolsv.exe 2884 spoolsv.exe 2592 explorer.exe 2592 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2564 wrote to memory of 2592 2564 7af6e87aae1bc84f65a5452f9c5f6270N.exe 29 PID 2564 wrote to memory of 2592 2564 7af6e87aae1bc84f65a5452f9c5f6270N.exe 29 PID 2564 wrote to memory of 2592 2564 7af6e87aae1bc84f65a5452f9c5f6270N.exe 29 PID 2564 wrote to memory of 2592 2564 7af6e87aae1bc84f65a5452f9c5f6270N.exe 29 PID 2592 wrote to memory of 2820 2592 explorer.exe 30 PID 2592 wrote to memory of 2820 2592 explorer.exe 30 PID 2592 wrote to memory of 2820 2592 explorer.exe 30 PID 2592 wrote to memory of 2820 2592 explorer.exe 30 PID 2820 wrote to memory of 2776 2820 spoolsv.exe 31 PID 2820 wrote to memory of 2776 2820 spoolsv.exe 31 PID 2820 wrote to memory of 2776 2820 spoolsv.exe 31 PID 2820 wrote to memory of 2776 2820 spoolsv.exe 31 PID 2776 wrote to memory of 2884 2776 svchost.exe 32 PID 2776 wrote to memory of 2884 2776 svchost.exe 32 PID 2776 wrote to memory of 2884 2776 svchost.exe 32 PID 2776 wrote to memory of 2884 2776 svchost.exe 32 PID 2776 wrote to memory of 2112 2776 svchost.exe 33 PID 2776 wrote to memory of 2112 2776 svchost.exe 33 PID 2776 wrote to memory of 2112 2776 svchost.exe 33 PID 2776 wrote to memory of 2112 2776 svchost.exe 33 PID 2776 wrote to memory of 1984 2776 svchost.exe 35 PID 2776 wrote to memory of 1984 2776 svchost.exe 35 PID 2776 wrote to memory of 1984 2776 svchost.exe 35 PID 2776 wrote to memory of 1984 2776 svchost.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe"C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Windows\SysWOW64\at.exeat 19:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\at.exeat 19:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:1984
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD52baed57dfe6ce1e9af4c4d16f14e77b9
SHA154c637e6a3de137dcb1443221a4e1b0669ce0973
SHA2564103e953fc9237cdd7a603cb9ef6abebbfbd04c43c1d86f60799ce3f37e86d0f
SHA512bef43567c5d7b13445ffaf2a96d58aec549fd88a22faf51e41f719d091adacf1aa8edc7e69de62b589ec0f155441796ac4057526fc62ed768eda6d4c3b4cb200
-
Filesize
206KB
MD54f8c85e897de63af76341592e766bbb1
SHA1188547855752906030cf0a8e70c564049469e4eb
SHA256859e475046f537778a68dc3b82c2fe7d33ca8a5d52982f2c656f25a139503205
SHA51290bbcfa8eb129fdccf0b5cae6ef3124ac87de1acb2651b86bf9e7b576f76fc3bd732093183e6589eb1deabc11ec29b943c76143caa73f8349fd2860703ce7976
-
Filesize
206KB
MD5f816b8e4d62597d09665f5e488488f7f
SHA16fa3f801db3ae1c12c9ce497073ba20ea03ddf0a
SHA256b1537f3eedfb0fb2385e558df8583fa652a87fbd4be820115c0acc3d9716bbe6
SHA512f5aee3ea3db6931c5e2d888a7f95cb47b57b3f59f388ab4539f994a787c901ca6e3aa017b43135ab1465cea2815500616c3a4475ee5fc9fef56f3c852f931be4
-
Filesize
207KB
MD5f422ba8e2679637837e66d1cb59a95ac
SHA134b6d08d5da5ddffbab12cf26c8fa0ab22525e23
SHA256c97219cef3af7a1dbd5c71daa5aaea676dbdbbb3786b5e3cde387ab0d31fe450
SHA5129ded71c1e1445c1e2d762828319be0fbf1aaa0acef91334c13e0561df57fa84e850f80230b06f06baae895e77bdf0bd2151da8426ac6a02b605a9923e8ea4dbd