Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 01:04
Static task
static1
Behavioral task
behavioral1
Sample
efa66175cf3367c181ac59a698149890N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
efa66175cf3367c181ac59a698149890N.exe
Resource
win10v2004-20240802-en
General
-
Target
efa66175cf3367c181ac59a698149890N.exe
-
Size
3.2MB
-
MD5
efa66175cf3367c181ac59a698149890
-
SHA1
a0a62773b39dc7ea26a19663b1f98e2f8df76969
-
SHA256
dbc410a3ed9c9392f81e2f4d2b68de11b7ac79841a2ebf559c34aa538b6db8c3
-
SHA512
13f7c6f47d49ea362c4b7689bb42014edf7f2068b0eca1f02a1637cd1aaa47a9af0d65e585994de364c31553f70ffc4b244727599aff584f0c766da3dbb9ba02
-
SSDEEP
49152:tWdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjT333TYe:9HDYsqiPRhINnq95FoHVBT333T1
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 6 IoCs
pid Process 2000 efa66175cf3367c181ac59a698149890n.exe 2244 icsys.icn.exe 2272 explorer.exe 836 spoolsv.exe 2852 svchost.exe 3068 spoolsv.exe -
Loads dropped DLL 6 IoCs
pid Process 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2244 icsys.icn.exe 2272 explorer.exe 836 spoolsv.exe 2852 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe efa66175cf3367c181ac59a698149890N.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efa66175cf3367c181ac59a698149890N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efa66175cf3367c181ac59a698149890n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2612 schtasks.exe 1408 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe 2852 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2272 explorer.exe 2852 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2292 efa66175cf3367c181ac59a698149890N.exe 2292 efa66175cf3367c181ac59a698149890N.exe 2244 icsys.icn.exe 2244 icsys.icn.exe 2272 explorer.exe 2272 explorer.exe 836 spoolsv.exe 836 spoolsv.exe 2852 svchost.exe 2852 svchost.exe 3068 spoolsv.exe 3068 spoolsv.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2000 2292 efa66175cf3367c181ac59a698149890N.exe 28 PID 2292 wrote to memory of 2000 2292 efa66175cf3367c181ac59a698149890N.exe 28 PID 2292 wrote to memory of 2000 2292 efa66175cf3367c181ac59a698149890N.exe 28 PID 2292 wrote to memory of 2000 2292 efa66175cf3367c181ac59a698149890N.exe 28 PID 2292 wrote to memory of 2000 2292 efa66175cf3367c181ac59a698149890N.exe 28 PID 2292 wrote to memory of 2000 2292 efa66175cf3367c181ac59a698149890N.exe 28 PID 2292 wrote to memory of 2000 2292 efa66175cf3367c181ac59a698149890N.exe 28 PID 2292 wrote to memory of 2244 2292 efa66175cf3367c181ac59a698149890N.exe 29 PID 2292 wrote to memory of 2244 2292 efa66175cf3367c181ac59a698149890N.exe 29 PID 2292 wrote to memory of 2244 2292 efa66175cf3367c181ac59a698149890N.exe 29 PID 2292 wrote to memory of 2244 2292 efa66175cf3367c181ac59a698149890N.exe 29 PID 2244 wrote to memory of 2272 2244 icsys.icn.exe 30 PID 2244 wrote to memory of 2272 2244 icsys.icn.exe 30 PID 2244 wrote to memory of 2272 2244 icsys.icn.exe 30 PID 2244 wrote to memory of 2272 2244 icsys.icn.exe 30 PID 2272 wrote to memory of 836 2272 explorer.exe 31 PID 2272 wrote to memory of 836 2272 explorer.exe 31 PID 2272 wrote to memory of 836 2272 explorer.exe 31 PID 2272 wrote to memory of 836 2272 explorer.exe 31 PID 836 wrote to memory of 2852 836 spoolsv.exe 32 PID 836 wrote to memory of 2852 836 spoolsv.exe 32 PID 836 wrote to memory of 2852 836 spoolsv.exe 32 PID 836 wrote to memory of 2852 836 spoolsv.exe 32 PID 2852 wrote to memory of 3068 2852 svchost.exe 33 PID 2852 wrote to memory of 3068 2852 svchost.exe 33 PID 2852 wrote to memory of 3068 2852 svchost.exe 33 PID 2852 wrote to memory of 3068 2852 svchost.exe 33 PID 2272 wrote to memory of 2692 2272 explorer.exe 34 PID 2272 wrote to memory of 2692 2272 explorer.exe 34 PID 2272 wrote to memory of 2692 2272 explorer.exe 34 PID 2272 wrote to memory of 2692 2272 explorer.exe 34 PID 2852 wrote to memory of 2612 2852 svchost.exe 35 PID 2852 wrote to memory of 2612 2852 svchost.exe 35 PID 2852 wrote to memory of 2612 2852 svchost.exe 35 PID 2852 wrote to memory of 2612 2852 svchost.exe 35 PID 2852 wrote to memory of 1408 2852 svchost.exe 40 PID 2852 wrote to memory of 1408 2852 svchost.exe 40 PID 2852 wrote to memory of 1408 2852 svchost.exe 40 PID 2852 wrote to memory of 1408 2852 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\efa66175cf3367c181ac59a698149890N.exe"C:\Users\Admin\AppData\Local\Temp\efa66175cf3367c181ac59a698149890N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\users\admin\appdata\local\temp\efa66175cf3367c181ac59a698149890n.exec:\users\admin\appdata\local\temp\efa66175cf3367c181ac59a698149890n.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3068
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:06 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2612
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:07 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1408
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2692
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5df1229ba732462ebd3940fe2204c1428
SHA16625158cee4feac28cbb1b60eb7691a33d3b6806
SHA256a928efcb51aee05e23bd0310e90edbdffd1d75d96853b143987174016c246571
SHA512f03b449c278f4253e3becc9f752126e88e900f71625763a7ce0101bf86cda0af6fe13886bb33ac3ae267350cadade7ac852437d7a4e9fdda82c385e94c55537d
-
Filesize
135KB
MD5b84ed00fa629ac9dbe86463809581b52
SHA188726da9890a73b0dfb72e81b4919e365191b94d
SHA256c52308aa1759d285db060c679b0bfc3b1e6096ba588319ea6707ea7b245672d3
SHA5128878fd85722bc4e65556915c1c06817571b86b41d1846e651c77904e992d6dfb41b22ea30f438189c2cec6c70d2a1ababe06379329f3d93a4ef29eac383d4b0c
-
Filesize
3.1MB
MD539c41ec190c34c174c78d9f4db91ff98
SHA133da26a7b9325109d1438cef20836c6cf4029710
SHA2566027859fd47b7d875cb59fc26fa9bcf08b9e72cec9a00b49ebdd9dc2b7b889fe
SHA512e31284baafce81a67a6e989bb4d2c459b1ffa3312591d03fd8674ad954bf8c7d7e5963d557447af4ed11e10389aba148251f809ba9963fccfad6ac62bc9b3b87
-
Filesize
135KB
MD592c4021fe000dc4da40ccd5c777b5188
SHA1b617b7ae8e47d842e6070732ba520f40ab922b50
SHA2564a86100fcc22a932cf0ac245399827b27e0a723290d41e886feed66cf1dd0d02
SHA5124ea636786b3e790c593a03fbda87ea34105876a346eb7dd22f6761c841d6fc89ff5fef761adea5faff70ede4ffd807b64ebb1a21f8f8be7a92f1594857e0b7af
-
Filesize
135KB
MD5596bcbdb211a745261e8a53a9d3f415c
SHA1e33cecfca38720b1f27c212822f164f2f8fe49c1
SHA256a20e21c790f548de12ac290a914c6210229cf594bb025ddd94c66124209c60fc
SHA512818db3e5d55298409a025590f040e28ed93b85820f3760d7e51c6d7e0e418bc7d74a9d7dc6ef528bf1ba7884b25c704e845ec77d01b0cf78d50bc39f9790c91a