Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 04:54
Static task
static1
Behavioral task
behavioral1
Sample
c60dc3588a378da3b6849a3da4b1a480N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c60dc3588a378da3b6849a3da4b1a480N.exe
Resource
win10v2004-20240802-en
General
-
Target
c60dc3588a378da3b6849a3da4b1a480N.exe
-
Size
206KB
-
MD5
c60dc3588a378da3b6849a3da4b1a480
-
SHA1
7efe96310b1d19c3fc0bf3b19713f079ec20aaba
-
SHA256
bb74ebf51e508fd1c2639175f81970dcbc1d7244245d15adb7f5d4cb1534d62e
-
SHA512
917f1e2e05e4325e88ce3c0f65c425fc2b06487d0b8c22d76ce6a8a4af96214c0959edcf58726fdefe5b3a62fa1dc5d5e533f1f0ed59119f16f9c32cee5c7b9d
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdbrrrrrrrrrrrrR:/VqoCl/YgjxEufVU0TbTyDDalb1
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2672 explorer.exe 2788 spoolsv.exe 1932 svchost.exe 2920 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 2672 explorer.exe 2672 explorer.exe 2788 spoolsv.exe 2788 spoolsv.exe 1932 svchost.exe 1932 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe c60dc3588a378da3b6849a3da4b1a480N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c60dc3588a378da3b6849a3da4b1a480N.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2652 schtasks.exe 2228 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 1932 svchost.exe 1932 svchost.exe 2672 explorer.exe 1932 svchost.exe 2672 explorer.exe 1932 svchost.exe 2672 explorer.exe 1932 svchost.exe 2672 explorer.exe 1932 svchost.exe 2672 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2672 explorer.exe 1932 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 2672 explorer.exe 2672 explorer.exe 2788 spoolsv.exe 2788 spoolsv.exe 1932 svchost.exe 1932 svchost.exe 2920 spoolsv.exe 2920 spoolsv.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2672 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 30 PID 3028 wrote to memory of 2672 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 30 PID 3028 wrote to memory of 2672 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 30 PID 3028 wrote to memory of 2672 3028 c60dc3588a378da3b6849a3da4b1a480N.exe 30 PID 2672 wrote to memory of 2788 2672 explorer.exe 31 PID 2672 wrote to memory of 2788 2672 explorer.exe 31 PID 2672 wrote to memory of 2788 2672 explorer.exe 31 PID 2672 wrote to memory of 2788 2672 explorer.exe 31 PID 2788 wrote to memory of 1932 2788 spoolsv.exe 32 PID 2788 wrote to memory of 1932 2788 spoolsv.exe 32 PID 2788 wrote to memory of 1932 2788 spoolsv.exe 32 PID 2788 wrote to memory of 1932 2788 spoolsv.exe 32 PID 1932 wrote to memory of 2920 1932 svchost.exe 33 PID 1932 wrote to memory of 2920 1932 svchost.exe 33 PID 1932 wrote to memory of 2920 1932 svchost.exe 33 PID 1932 wrote to memory of 2920 1932 svchost.exe 33 PID 2672 wrote to memory of 2800 2672 explorer.exe 34 PID 2672 wrote to memory of 2800 2672 explorer.exe 34 PID 2672 wrote to memory of 2800 2672 explorer.exe 34 PID 2672 wrote to memory of 2800 2672 explorer.exe 34 PID 1932 wrote to memory of 2652 1932 svchost.exe 35 PID 1932 wrote to memory of 2652 1932 svchost.exe 35 PID 1932 wrote to memory of 2652 1932 svchost.exe 35 PID 1932 wrote to memory of 2652 1932 svchost.exe 35 PID 1932 wrote to memory of 2228 1932 svchost.exe 39 PID 1932 wrote to memory of 2228 1932 svchost.exe 39 PID 1932 wrote to memory of 2228 1932 svchost.exe 39 PID 1932 wrote to memory of 2228 1932 svchost.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\c60dc3588a378da3b6849a3da4b1a480N.exe"C:\Users\Admin\AppData\Local\Temp\c60dc3588a378da3b6849a3da4b1a480N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2920
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:56 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2652
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:57 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2228
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2800
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5be3f9045b77b4df1acb3914b0828c666
SHA1a2a807464d33c033f43a116cf8bfec552e07fce2
SHA256c65a442f8e57909ac991f3ee133fb1ec218d2b640a653d22700db36e3c8ac563
SHA512725a05a80a7e8332f5d8c87d2e1c6abc6081a376771f19299cf316e1c19e5de7fc96e9f5b271f838bbfb995769ee9693e6801fdf94f05b3cb4f233483520728e
-
Filesize
206KB
MD5b2bed64acedf67068c386d48fa840926
SHA1d1395affed1d10f3ea748d19095da5608bdffc99
SHA25665b6498aca63c1da88163a0f61408018979abcabc06c88e584134816a64c4672
SHA51284524f01042708716195ec360e83e2318780a1a75270af548c4fae22c09a6677f51b5914131275fdc9d35fabb4f6297c58974798fbe0046d897cf24c220758e4
-
Filesize
206KB
MD5b663aa3be278c07a3ae43fc0b82b2370
SHA11d6eb22b9fea98d1e5eccbe36096b180e216e31a
SHA256b147be1e80c85dd1bf1307219c185ebf87b53f683ad5015a97ca7edac297515f
SHA51240effe96e9b2b3e5c0c8c0755251e7031ec8f3c81c119e2b66d19ac6e9cb7174dbd28db43eb492538537141b139eae1f23959f0e4cb99e51c20e23971f24ed42