Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe
Resource
win10v2004-20240802-en
General
-
Target
233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe
-
Size
356KB
-
MD5
c6bf8dce10c797281105f773d87befd9
-
SHA1
b1c30f800c4b122b380e30f72e3eb4b8814f23a5
-
SHA256
233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177
-
SHA512
a30b28731f3a265e95e211374c27c629ce591636cf8f765e1aa1f4684d69130e9c5365bb2bcc026e4a79a8f07db90804a2673e0d656c4a215205a16a1f6ae274
-
SSDEEP
6144:p3EmWPDNND9yRPzLq+YXFqaZiMLic9kzVd7EAC4TSs9Ei:+mWhND9yJz+b1FcMLmp2ATTSsd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe," svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1528 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2468 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe 2468 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d796d0b8 = "ðŒ’÷\x12S\x7f›\vˆ¡¥\u00ad>ÇMK$6\\øË>M\x04W*f¦‹¸\u00a0îÌL¥hÕô%5ô\x1cÕ<ì\x065í§óõ\x1c\x1d¤\x0e¸`\u008fuk\x15\x1fõö°=°-EŒÖž‹žõåh¥Í¾Õl»à\u00adÍ[[‹†lÍ%µcKïT¤\u0090KÍ·<El¥hÖ×´\x0e“\x0e=\u008d\x1d÷ôŘÃf\rûmÍ\x10M\x04F¥¤¤ô|xtÈ{EÈ%\x1eÏ\x14äƒõm\x0e…5åTu}S¥»æ;•\x1d.ã]ÌÀD\\]ËÜÆ\u008d\x16Ƽì#¼35†½àSHS½Dn®ÅC\u008do-às\u009dÇ\x10ÄÕUè÷\x1c_†|¬<%¼KÎ3$Ó§=l\x15\f\u009dçû$c«Ì\r\u008dh„Õ\f\x7f„•l\u00a0e4–ôv\x1cE%DsH§`„" 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\d796d0b8 = "ðŒ’÷\x12S\x7f›\vˆ¡¥\u00ad>ÇMK$6\\øË>M\x04W*f¦‹¸\u00a0îÌL¥hÕô%5ô\x1cÕ<ì\x065í§óõ\x1c\x1d¤\x0e¸`\u008fuk\x15\x1fõö°=°-EŒÖž‹žõåh¥Í¾Õl»à\u00adÍ[[‹†lÍ%µcKïT¤\u0090KÍ·<El¥hÖ×´\x0e“\x0e=\u008d\x1d÷ôŘÃf\rûmÍ\x10M\x04F¥¤¤ô|xtÈ{EÈ%\x1eÏ\x14äƒõm\x0e…5åTu}S¥»æ;•\x1d.ã]ÌÀD\\]ËÜÆ\u008d\x16Ƽì#¼35†½àSHS½Dn®ÅC\u008do-às\u009dÇ\x10ÄÕUè÷\x1c_†|¬<%¼KÎ3$Ó§=l\x15\f\u009dçû$c«Ì\r\u008dh„Õ\f\x7f„•l\u00a0e4–ôv\x1cE%DsH§`„" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\apppatch\svchost.exe 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe File opened for modification C:\Windows\apppatch\svchost.exe 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2468 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe 2468 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe 2468 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe 2468 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe 1528 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2468 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2468 wrote to memory of 1528 2468 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe 29 PID 2468 wrote to memory of 1528 2468 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe 29 PID 2468 wrote to memory of 1528 2468 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe 29 PID 2468 wrote to memory of 1528 2468 233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe"C:\Users\Admin\AppData\Local\Temp\233842fc1f0e03f3d87afcf8628674d51013cdc24fbdda9e800ad332db3ad177.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\apppatch\svchost.exe"C:\Windows\apppatch\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593B
MD5926512864979bc27cf187f1de3f57aff
SHA1acdeb9d6187932613c7fa08eaf28f0cd8116f4b5
SHA256b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f
SHA512f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b
-
Filesize
356KB
MD53d3f9b0a7f8a987051387245b7ba949e
SHA184eaf830d7dd1bcef3c4b8d6656d540a7d7af8a1
SHA2568677b6ac01c41fb5e30122fcbce187684e8ecbb048d920970e05b2f7bd5dd3c0
SHA51293205b695a4e74d7b7367c8542954c134deaceb1f9e72ab9f45d31bd26211cf49c135a9892beed043da502664cac3f15a3a994e70095910603a20a2ec6864677