Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 02:10
Behavioral task
behavioral1
Sample
fd85a77b1322ab368cd2e8702cdbecb0N.exe
Resource
win7-20240708-en
General
-
Target
fd85a77b1322ab368cd2e8702cdbecb0N.exe
-
Size
400KB
-
MD5
fd85a77b1322ab368cd2e8702cdbecb0
-
SHA1
392848b6b67a19e2aed417b2c472cbe1ab5e3d8e
-
SHA256
da359c2f4625fcff92e0e8eca9517110b0279957aa0bf9198c9cc34053cebac5
-
SHA512
10e55b4069818cc1c45edbd14460d8b14aed4b558e431d107c708f7fdfe3daa30b9d843b981de5306aae216f78f70a616f2396e8dc349dd4ca8f5736e7071672
-
SSDEEP
3072:fDNcIFN3tw4QfwmAOMe6UJbVM/vkA9OQzY6eCFs5Juh2v19hlDcfbEdp7uxEo+9l:LJigOTJXYOaFs5Juh819hqkuGh2LeyI
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\57689 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mscaoz.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 964 skypee.exe 2892 skypee.exe 2872 skypee.exe -
Loads dropped DLL 5 IoCs
pid Process 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 964 skypee.exe 964 skypee.exe -
resource yara_rule behavioral1/memory/1488-0-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2908-196-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2908-202-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2908-210-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1488-211-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2908-203-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1488-199-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2908-194-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x000a000000017520-236.dat upx behavioral1/memory/964-249-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2908-452-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/964-449-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2892-465-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\skypee = "C:\\Windows\\Skypee\\skypee.exe" reg.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fd85a77b1322ab368cd2e8702cdbecb0N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA skypee.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum skypee.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 skypee.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1488 set thread context of 2908 1488 fd85a77b1322ab368cd2e8702cdbecb0N.exe 31 PID 964 set thread context of 2892 964 skypee.exe 36 PID 964 set thread context of 2872 964 skypee.exe 37 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\mscaoz.exe svchost.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Skypee\skypee.exe fd85a77b1322ab368cd2e8702cdbecb0N.exe File opened for modification C:\Windows\Skypee\skypee.exe svchost.exe File created C:\Windows\Skypee\skypee.exe fd85a77b1322ab368cd2e8702cdbecb0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skypee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd85a77b1322ab368cd2e8702cdbecb0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd85a77b1322ab368cd2e8702cdbecb0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skypee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skypee.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2872 skypee.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2872 skypee.exe 2872 skypee.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe Token: SeDebugPrivilege 2892 skypee.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1488 fd85a77b1322ab368cd2e8702cdbecb0N.exe 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 964 skypee.exe 2892 skypee.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1488 wrote to memory of 2908 1488 fd85a77b1322ab368cd2e8702cdbecb0N.exe 31 PID 1488 wrote to memory of 2908 1488 fd85a77b1322ab368cd2e8702cdbecb0N.exe 31 PID 1488 wrote to memory of 2908 1488 fd85a77b1322ab368cd2e8702cdbecb0N.exe 31 PID 1488 wrote to memory of 2908 1488 fd85a77b1322ab368cd2e8702cdbecb0N.exe 31 PID 1488 wrote to memory of 2908 1488 fd85a77b1322ab368cd2e8702cdbecb0N.exe 31 PID 1488 wrote to memory of 2908 1488 fd85a77b1322ab368cd2e8702cdbecb0N.exe 31 PID 1488 wrote to memory of 2908 1488 fd85a77b1322ab368cd2e8702cdbecb0N.exe 31 PID 1488 wrote to memory of 2908 1488 fd85a77b1322ab368cd2e8702cdbecb0N.exe 31 PID 2908 wrote to memory of 448 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 32 PID 2908 wrote to memory of 448 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 32 PID 2908 wrote to memory of 448 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 32 PID 2908 wrote to memory of 448 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 32 PID 448 wrote to memory of 2004 448 cmd.exe 34 PID 448 wrote to memory of 2004 448 cmd.exe 34 PID 448 wrote to memory of 2004 448 cmd.exe 34 PID 448 wrote to memory of 2004 448 cmd.exe 34 PID 2908 wrote to memory of 964 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 35 PID 2908 wrote to memory of 964 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 35 PID 2908 wrote to memory of 964 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 35 PID 2908 wrote to memory of 964 2908 fd85a77b1322ab368cd2e8702cdbecb0N.exe 35 PID 964 wrote to memory of 2892 964 skypee.exe 36 PID 964 wrote to memory of 2892 964 skypee.exe 36 PID 964 wrote to memory of 2892 964 skypee.exe 36 PID 964 wrote to memory of 2892 964 skypee.exe 36 PID 964 wrote to memory of 2892 964 skypee.exe 36 PID 964 wrote to memory of 2892 964 skypee.exe 36 PID 964 wrote to memory of 2892 964 skypee.exe 36 PID 964 wrote to memory of 2892 964 skypee.exe 36 PID 964 wrote to memory of 2872 964 skypee.exe 37 PID 964 wrote to memory of 2872 964 skypee.exe 37 PID 964 wrote to memory of 2872 964 skypee.exe 37 PID 964 wrote to memory of 2872 964 skypee.exe 37 PID 964 wrote to memory of 2872 964 skypee.exe 37 PID 964 wrote to memory of 2872 964 skypee.exe 37 PID 964 wrote to memory of 2872 964 skypee.exe 37 PID 2872 wrote to memory of 1612 2872 skypee.exe 38 PID 2872 wrote to memory of 1612 2872 skypee.exe 38 PID 2872 wrote to memory of 1612 2872 skypee.exe 38 PID 2872 wrote to memory of 1612 2872 skypee.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd85a77b1322ab368cd2e8702cdbecb0N.exe"C:\Users\Admin\AppData\Local\Temp\fd85a77b1322ab368cd2e8702cdbecb0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\fd85a77b1322ab368cd2e8702cdbecb0N.exe"C:\Users\Admin\AppData\Local\Temp\fd85a77b1322ab368cd2e8702cdbecb0N.exe"2⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GCYXB.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "skypee" /t REG_SZ /d "C:\Windows\Skypee\skypee.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2004
-
-
-
C:\Windows\Skypee\skypee.exe"C:\Windows\Skypee\skypee.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\Skypee\skypee.exe"C:\Windows\Skypee\skypee.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Windows\Skypee\skypee.exe"C:\Windows\Skypee\skypee.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\syswow64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1612
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121B
MD56f03830aff31995957052b694b2211a0
SHA1bc98df25a4accd29643b311c106e1cdcecdec93c
SHA2567ddb76d54b187f9e03639ee200536062c36abea7f2fb073ca9bccfb5acc55934
SHA512f02357a8148e3f0c2e3f8f44c317c94450cbda8acd1890369ad91cd1c140089bfbfd6659702f79761e49b8b665f37667d806ccaed416c6de43e1a99d07a69175
-
Filesize
400KB
MD573ba3f9d006427154dcfcc66c6545bfd
SHA10513a3babe49795c1f5ed584b2115f554fb71fc4
SHA25656132847565fe784bbb4013a643d5682d3fbace75d455af1ac1055f6e4d4249d
SHA51282ccac60c558e8a6e8222685fba4b7ea25abca535f94db93bf03ac193e64e3010c837911b54b69860a413da86d0bd03b0fa062f3e1e5acd52b046581a429e6bb