Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
22/08/2024, 02:02
General
-
Target
40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe
-
Size
3.9MB
-
MD5
40c7b28ae79b11198b3be7c7de664f68
-
SHA1
ef3a6270e75f5d334ba780dd8f7818548b0e6d81
-
SHA256
40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f
-
SHA512
52dc5b17f633c1e2370b7927b9de59dd9afc2f905c1222f786f324cb28d1f983694048701bd9201142e54b107c99832b4af82ea647a389e12a820564b3a71bf2
-
SSDEEP
98304:EL+TeMMOQ/on3tkX1v2FQ03Le/8Vy5opUi:4+yP/+3tav2K03CEVyeUi
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe"C:\Users\Admin\AppData\Local\Temp\40d3609e3b05566993450c98a53b3d310ac0da5b2f6a7ce9dae3cff69ddc4f7f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\mschaincontainerProviderdriver\p5L4tCZskQSKrAp9i73GV6nTpbyIueed5yrdR5MhJJcsf1DbOcdt.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\mschaincontainerProviderdriver\QyeawRlrHW2G8u24NG4SBrEnR4w14yBdhDTq.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\mschaincontainerProviderdriver\ContainerPerf.exe"C:\mschaincontainerProviderdriver/ContainerPerf.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a5vrKwwupZ.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\PCHEALTH\services.exe"C:\Windows\PCHEALTH\services.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX3O4psMNH.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\PCHEALTH\services.exe"C:\Windows\PCHEALTH\services.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qwmke0eayG.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Windows\PCHEALTH\services.exe"C:\Windows\PCHEALTH\services.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s6L5myzuOs.bat"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Windows\PCHEALTH\services.exe"C:\Windows\PCHEALTH\services.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2yB5vkEA4A.bat"13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\PCHEALTH\services.exe"C:\Windows\PCHEALTH\services.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U5BoPe2aCH.bat"15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\PCHEALTH\services.exe"C:\Windows\PCHEALTH\services.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpiwJJ3Pd2.bat"17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\Windows\PCHEALTH\services.exe"C:\Windows\PCHEALTH\services.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mCHKcGl2nx.bat"19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\PCHEALTH\services.exe"C:\Windows\PCHEALTH\services.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PEEvsyJdYA.bat"21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\PCHEALTH\services.exe"C:\Windows\PCHEALTH\services.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\upHCHH0RIK.bat"23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\PCHEALTH\services.exe"C:\Windows\PCHEALTH\services.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gbxaZFyaug.bat"25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD5d6b0fcc2906eefe225edd00199ccf6ba
SHA1c999ba752ac7464a831bc39f20a46c882fafd8b7
SHA25693b6518522d218a76e11ebd36b2af6de1153d86f9b50937b8815c518cade5c20
SHA512ad82fa8a9b9b3acbab9b371ee99b819cff955f4bc8b094ecf35e9c74b37a28a919b48188090a381bc9dcd102e8bcbd4aa713c3618de27fe08a8a36d7fce79815
-
Filesize
160B
MD5809470e001f7a92720037cde718458cf
SHA10f9d49c6a447836453e306709d5b8ecfbb039621
SHA256a078c525c86e6652775d6d3b84a59e5c9880dc68535c972c69bfc02cc315c029
SHA51286232743595fbb65e8f36d3a41ba5bb0f047a40310f39f357a3dcd20383a7da0ad7ccc72970628db70adb480c06fa29521914eef7a2b71d8e8023220a55798c4
-
Filesize
160B
MD54254e09bcd4418888d75bd35d763f5b6
SHA182efe3e54d33d274eccf7a747dcc33349f7c3c93
SHA256a64b5191beb1f0c37f993948009181a31d3b7e6c15631f86a6fb1e0b97a540d2
SHA51253d7a9e4ecad6d1d6b00f24477d75461af5bf33473acd9fc99f40cdffd11ac771d9534c324fba74d85fa847ae6d13b1a3cb3d1b87e598ca4f259f5237efda0ed
-
Filesize
208B
MD592e95c09137b8986b871e3b8139ebffc
SHA1245412b7b97bde8693bd8a6d61549c9210523908
SHA256d2d7557b28a3e6bf29c0c392e448de283d35d048f8a26b2667efa5536dc9fef3
SHA5122fe63870307f0d6383888fc71ffb55b2045fd535d2fd4491eacef938ca91ea18e856241ad9f1c0fe3bf3f721d54505018c24b642a4095a038009a122ff13a82e
-
Filesize
160B
MD5ceb7c7a68fa671249e2259de01602582
SHA1c56b5a8a5e65cf83c30063c552991acd0caf735e
SHA256a48f99db8eb61d6806f7648774f73077efbde3435e8e7270d1c27265f96cbe53
SHA51246b4ad6aefd8a6bdf315da710a57fa274347a10020f7667e4b41445d3223fd01ef761df0653472456e9954369c03ac7bac63514cde4d413931f1fd59c861d47c
-
Filesize
160B
MD552a3b72e0eb567a6d4edd2cc214511c3
SHA14daa1c98002ab2fffd4c7c35b9dcdf329b50e181
SHA256334cb4f6a8053fc003e6758251fd7c3b96c8111efd88dcf9f5faac7f4aa0c977
SHA5128937fec8a111b311e5678da8a1a168d1043fdf08e67e3e96047f26edadcdd3fe13c0ceb479ce610bd72a5d2bd2ef1ae110e7b0edaa615857d5a2e2bbc07a9f86
-
Filesize
160B
MD532337d72b5a38f0e17280b9d404cb18b
SHA1b731b7897c48a9c886f397001351a6b0c53c61b7
SHA2566b360e0e2e8c73e72b9afac61d40c8f9a5be214a95617d31d2d823e6a92f334d
SHA51266dc386ce778b27e22508085285c08baad9aa49642488144fd3a5f9a783a1e34e0c98e11aaf033a8b68f1a050e642546d6e37e942666f51b39c6c5b24bbefdf4
-
Filesize
160B
MD5872a6e0cb143f30daff0dbbaa66263d5
SHA1da7b097e7fa6f1842ac647ef9e9a9e376250350b
SHA256a2c876591d1012dcf9fd3a4e04f512b35178da93ade3c00eb92385bb98dc68e2
SHA512a93b23e2b5090e91fca68c4aed975a21b3fe43950b4a4167c2a5e7b7298ffbc9c336aef5c18932f77804efc011b36118a4b3bb7d22201644b315c7fc0dbc6cd0
-
Filesize
208B
MD5884de864faaa38f6ea4437e2a3439e08
SHA1128541d13b5fd9ab55579aa70b717414b2766980
SHA256dad9b16feb8b0e2842ce885c0b815d3bf3c1f92b8d161453de30d737f7952126
SHA512347c7eb588e7f984fe9d04d7b5558a3e68c6e163d7cbaf813ec809addf9e524f3412b50e3f02c7b0e4e78c1285ba38e3c3edddd3cd42dad0987f911df4e6d1ca
-
Filesize
208B
MD50562f56aed5478a0a4b15f294e1a48b0
SHA18de75e6055d7f42b201faf7fa2f068901183a30d
SHA2562ef0c44877a6907b4031eaf005de29f6fbae8bb2a3ddf271db6c5f0bdda70ae6
SHA51249e4493d5fcbd1f14c7a1c864a770c1208a205f130a3c8a5e12f66fe5fdbef2cd60ff56c41c7cbea50e6ed34488a499974927ed039e5a1c12b751a4d6a3298d5
-
Filesize
160B
MD519855ab91448db11acc631c4d590afc0
SHA153f224516b168946b65be069e5675353df503597
SHA25640545d073327f111dc702204fe2a0f9be4848d3f88d4e3d9caa4ff146cc3ed7d
SHA51219253555d955bdd2101d6caff84d6873bbc58df41a74b9afd3aeea08f7b7aff2e1a30a7aba755f3e87e3726733bb3e33db602766b089581a2bc531cc361d5973
-
Filesize
3.7MB
MD56185ea8036d5aa44c2919566858cfeae
SHA1206ce3b84d8427c010191f317371aceb00c410f6
SHA256c807156a66ce066352e4fc3e6538eabf623a4c5546c27fa998ab9a95f858be17
SHA512a6465963ee9e8dd18cd010eb55c39a6e320c465eed1090c63af6b6ed3de1865370d802f6f2e8df8200ead06a0acd6e4e48035783212244e9684a2413b4e605e4
-
Filesize
201B
MD540d7188fe8d29e0f457d9e2e78488a38
SHA10e98fa35202e227c6cac8d35ea86d62e37069e5e
SHA2562cfe393f5c596ce1801d783fc260c657a7637da6d5828acc34d5dcefcc8b850d
SHA51257cc20264eee8edcfbaaece38a909dafe3bb41abfe423ee6d698d89bce80ce9fc137186e37b03abecdc4447494188c0bc1e04861a8219c9dc375893cc6cdda9f
-
Filesize
244B
MD5bda640ef3524c0357ec9fb8a6aa807ce
SHA18461b1ebc21ef92a235f44ba3e8e27875ed5bf03
SHA256a6d4a7417bf93799852f65eda82a632c9787d3cd5827280b5bd37efdd46341fb
SHA512ef804407ef57472b351d9adbcc71064e7ba7817c58e042a1d92e092e3acd1ed12810aa51216649984693d3d3ee5c431a0176fa238fc7c246e9edbb28e1f4c27f
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
360KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
312KB
-
Filesize
72KB
-
Filesize
3.7MB
-
Filesize
88KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
152KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
3.7MB
-
Filesize
3.7MB