Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 20:22
Static task
static1
Behavioral task
behavioral1
Sample
234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe
Resource
win10v2004-20240802-en
General
-
Target
234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe
-
Size
206KB
-
MD5
9876b3c6c6fcf53bdf065d81ec051072
-
SHA1
a6c41ea3dc0420870363aa2cb4f96006f831e54e
-
SHA256
234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f
-
SHA512
abcf53fa1bb3e5866230517516876100bbf7ca38f72e0de1f48922aa64c153f7cc22e533af9a8ecda22b8d087f854dabd22e4de8b705ebf98b5485bd385becff
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdV:/VqoCl/YgjxEufVU0TbTyDDalbV
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2500 explorer.exe 2388 spoolsv.exe 2908 svchost.exe 2724 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 2500 explorer.exe 2500 explorer.exe 2388 spoolsv.exe 2388 spoolsv.exe 2908 svchost.exe 2908 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2856 schtasks.exe 2812 schtasks.exe 580 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2500 explorer.exe 2500 explorer.exe 2500 explorer.exe 2908 svchost.exe 2908 svchost.exe 2500 explorer.exe 2908 svchost.exe 2500 explorer.exe 2908 svchost.exe 2500 explorer.exe 2908 svchost.exe 2500 explorer.exe 2908 svchost.exe 2500 explorer.exe 2908 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2500 explorer.exe 2908 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 2500 explorer.exe 2500 explorer.exe 2388 spoolsv.exe 2388 spoolsv.exe 2908 svchost.exe 2908 svchost.exe 2724 spoolsv.exe 2724 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2500 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 30 PID 1956 wrote to memory of 2500 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 30 PID 1956 wrote to memory of 2500 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 30 PID 1956 wrote to memory of 2500 1956 234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe 30 PID 2500 wrote to memory of 2388 2500 explorer.exe 31 PID 2500 wrote to memory of 2388 2500 explorer.exe 31 PID 2500 wrote to memory of 2388 2500 explorer.exe 31 PID 2500 wrote to memory of 2388 2500 explorer.exe 31 PID 2388 wrote to memory of 2908 2388 spoolsv.exe 32 PID 2388 wrote to memory of 2908 2388 spoolsv.exe 32 PID 2388 wrote to memory of 2908 2388 spoolsv.exe 32 PID 2388 wrote to memory of 2908 2388 spoolsv.exe 32 PID 2908 wrote to memory of 2724 2908 svchost.exe 33 PID 2908 wrote to memory of 2724 2908 svchost.exe 33 PID 2908 wrote to memory of 2724 2908 svchost.exe 33 PID 2908 wrote to memory of 2724 2908 svchost.exe 33 PID 2500 wrote to memory of 2736 2500 explorer.exe 34 PID 2500 wrote to memory of 2736 2500 explorer.exe 34 PID 2500 wrote to memory of 2736 2500 explorer.exe 34 PID 2500 wrote to memory of 2736 2500 explorer.exe 34 PID 2908 wrote to memory of 2856 2908 svchost.exe 35 PID 2908 wrote to memory of 2856 2908 svchost.exe 35 PID 2908 wrote to memory of 2856 2908 svchost.exe 35 PID 2908 wrote to memory of 2856 2908 svchost.exe 35 PID 2908 wrote to memory of 2812 2908 svchost.exe 39 PID 2908 wrote to memory of 2812 2908 svchost.exe 39 PID 2908 wrote to memory of 2812 2908 svchost.exe 39 PID 2908 wrote to memory of 2812 2908 svchost.exe 39 PID 2908 wrote to memory of 580 2908 svchost.exe 41 PID 2908 wrote to memory of 580 2908 svchost.exe 41 PID 2908 wrote to memory of 580 2908 svchost.exe 41 PID 2908 wrote to memory of 580 2908 svchost.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe"C:\Users\Admin\AppData\Local\Temp\234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:24 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2856
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:25 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2812
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:26 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:580
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2736
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5d739417ee850eca3384c502aa2d9591d
SHA1a429891394828719b3661d5ca11086ab79d90f9b
SHA256456e0284db699610ab49d81a7113a6af9b208ae7cb3f87f565dd2314723ff6fd
SHA5124357fa6889b060d6757f75b488135d13a1eb0a59314608e090f17e45cd24d2c915d0c2400c5b6112c3299cc92801b9c71faf5073de41dd38de80c8f0eae4947b
-
Filesize
206KB
MD58255f40feec017695a9262a3c9775a15
SHA12e027f62b6290e136846623f6518cf94d679deb6
SHA256034d0044fdd872ba8097798c702473232e8fee28a5878ad600301c120257cdd9
SHA5129348c60de58192e8f1753048900215904f3b061721eeb2bb31961d0b3ae05e0b6c11659a619313a1ac7f156fefe9641f3c5e542a1c63d4142420781008c0ca2a
-
Filesize
206KB
MD5b17d5b7217db225cc671b77610329be6
SHA1ed083bc1bc5e8d7622ba39442058235cf9ea7faa
SHA256280329eb200b8984c4bfd3b97b086e3a05a1d0a7b57127419d6a31c116e972d8
SHA51214ac5296e1eebfbd91764a4d18da874ac9d4b7f3d92280cfc331771db4b0ea7ec9f8dbeaba5256df4b60be46d2cf420981aa619508b4b6ad03dccb2023fc6f1f