Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 19:56
Static task
static1
Behavioral task
behavioral1
Sample
89ee1a81ae7fa351c0a459c97d5e8680N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
89ee1a81ae7fa351c0a459c97d5e8680N.exe
Resource
win10v2004-20240802-en
General
-
Target
89ee1a81ae7fa351c0a459c97d5e8680N.exe
-
Size
3.6MB
-
MD5
89ee1a81ae7fa351c0a459c97d5e8680
-
SHA1
b33657444c36d3bd09d01758c92ffe4104756114
-
SHA256
76e24c3e4eea9c6c2ae3574f00318d6e90bfed25e9c0b0e536ddd76fd4ca6deb
-
SHA512
97028e2fd81dac5a798d42276f39b5f3d67abedcd198e10033ec270ac980a7f19c1b4814e284532cd054560bdde90ab5f74a8d0992def771a467591c9435d75d
-
SSDEEP
98304:ddByXcdnlLwOrI5Vfeg91hZOhkRpsinjP:ddien+OrFuBR6cP
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2008 explorer.exe 2224 spoolsv.exe 2872 svchost.exe 2240 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2008 explorer.exe 2224 spoolsv.exe 2872 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs
pid Process 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2008 explorer.exe 2008 explorer.exe 2224 spoolsv.exe 2872 svchost.exe 2240 spoolsv.exe 2240 spoolsv.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 89ee1a81ae7fa351c0a459c97d5e8680N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89ee1a81ae7fa351c0a459c97d5e8680N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2644 schtasks.exe 2316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2872 svchost.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe 2008 explorer.exe 2872 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2872 svchost.exe 2008 explorer.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 2008 explorer.exe 2008 explorer.exe 2008 explorer.exe 2224 spoolsv.exe 2224 spoolsv.exe 2224 spoolsv.exe 2872 svchost.exe 2872 svchost.exe 2872 svchost.exe 2240 spoolsv.exe 2240 spoolsv.exe 2240 spoolsv.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2008 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 29 PID 2456 wrote to memory of 2008 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 29 PID 2456 wrote to memory of 2008 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 29 PID 2456 wrote to memory of 2008 2456 89ee1a81ae7fa351c0a459c97d5e8680N.exe 29 PID 2008 wrote to memory of 2224 2008 explorer.exe 30 PID 2008 wrote to memory of 2224 2008 explorer.exe 30 PID 2008 wrote to memory of 2224 2008 explorer.exe 30 PID 2008 wrote to memory of 2224 2008 explorer.exe 30 PID 2224 wrote to memory of 2872 2224 spoolsv.exe 31 PID 2224 wrote to memory of 2872 2224 spoolsv.exe 31 PID 2224 wrote to memory of 2872 2224 spoolsv.exe 31 PID 2224 wrote to memory of 2872 2224 spoolsv.exe 31 PID 2872 wrote to memory of 2240 2872 svchost.exe 32 PID 2872 wrote to memory of 2240 2872 svchost.exe 32 PID 2872 wrote to memory of 2240 2872 svchost.exe 32 PID 2872 wrote to memory of 2240 2872 svchost.exe 32 PID 2008 wrote to memory of 2816 2008 explorer.exe 33 PID 2008 wrote to memory of 2816 2008 explorer.exe 33 PID 2008 wrote to memory of 2816 2008 explorer.exe 33 PID 2008 wrote to memory of 2816 2008 explorer.exe 33 PID 2872 wrote to memory of 2644 2872 svchost.exe 34 PID 2872 wrote to memory of 2644 2872 svchost.exe 34 PID 2872 wrote to memory of 2644 2872 svchost.exe 34 PID 2872 wrote to memory of 2644 2872 svchost.exe 34 PID 2872 wrote to memory of 2316 2872 svchost.exe 37 PID 2872 wrote to memory of 2316 2872 svchost.exe 37 PID 2872 wrote to memory of 2316 2872 svchost.exe 37 PID 2872 wrote to memory of 2316 2872 svchost.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\89ee1a81ae7fa351c0a459c97d5e8680N.exe"C:\Users\Admin\AppData\Local\Temp\89ee1a81ae7fa351c0a459c97d5e8680N.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:58 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2644
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:59 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2316
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2816
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c3f517d4d49e76a20a6cffda4258ced7
SHA17c88dacb4e028a6942b3e955ff3526774c6841a7
SHA2565bdd1e32202c1b830eb578d73186a6815fcf39131d2008c778f807a94c2d7722
SHA512e46651f1a635e3a431290740b0ff5562ce8746fe0b92c5cb1682bbbceae2e4cb7aaf36e3948e86db492e08b64ad1a913fca39f1bfa5865ecd634d53218e8ec0c
-
Filesize
3.6MB
MD50dc177421d0b95496a486b2caa779528
SHA1277bb87d9e7efec94b806dcb1f1d2aeb8fff5825
SHA256163cbe5073bfbbb2d2ad4f167162cb9318bc0df90b221760fcd2ae4712dad541
SHA512b23c57cfdff23db61485546eb4b2f6675140e4b5830cadc6d04ba710a29d8c9edf0f6b736afa6e931ac94895bec844d2d92b6ae4689cb1aaf3c8f39980f47782
-
Filesize
3.6MB
MD515e7eccc9788fabd594b1a7ebf7d6e48
SHA1cba94b8593418528e53b69fc58a05bc14912523b
SHA256a72188ee7c69f7b84efcd2e859341d62179bd7b5c0e599718ae7aa50331f58d9
SHA512c6e20b4d66aa9e33f7cfedde35cf5d1ffc605e58a371fbb0147144894bb4d8e5c9d3ebdf367660b2a157b6f4be0c6f9ea3e5822c237bee31158e178ec587d70b