Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28/08/2024, 23:47
Static task
static1
Behavioral task
behavioral1
Sample
7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
Resource
win10v2004-20240802-en
General
-
Target
7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe
-
Size
135KB
-
MD5
58152863ee670eca3dbf9a2430759bc4
-
SHA1
20d0c59274bf766666b701327a2c8aea8b4f26d6
-
SHA256
7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc
-
SHA512
1da8ee454dcdda81f11453ff29215f9a393a4744b43e1af24c0ae4fef4447a6cf8bf8d54f4f1404657c001b8aa7831e0d5b264e61bd76ac64e4ff43bf14a8fcc
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVBu:UVqoCl/YgjxEufVU0TbTyDDal7u
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2264 explorer.exe 3036 spoolsv.exe 2224 svchost.exe 2928 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2264 explorer.exe 3036 spoolsv.exe 2224 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2160 schtasks.exe 1172 schtasks.exe 1856 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2264 explorer.exe 2224 svchost.exe 2264 explorer.exe 2224 svchost.exe 2264 explorer.exe 2264 explorer.exe 2224 svchost.exe 2224 svchost.exe 2264 explorer.exe 2224 svchost.exe 2264 explorer.exe 2264 explorer.exe 2224 svchost.exe 2224 svchost.exe 2264 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2224 svchost.exe 2264 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 2264 explorer.exe 2264 explorer.exe 3036 spoolsv.exe 3036 spoolsv.exe 2224 svchost.exe 2224 svchost.exe 2928 spoolsv.exe 2928 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2264 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 30 PID 2516 wrote to memory of 2264 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 30 PID 2516 wrote to memory of 2264 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 30 PID 2516 wrote to memory of 2264 2516 7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe 30 PID 2264 wrote to memory of 3036 2264 explorer.exe 31 PID 2264 wrote to memory of 3036 2264 explorer.exe 31 PID 2264 wrote to memory of 3036 2264 explorer.exe 31 PID 2264 wrote to memory of 3036 2264 explorer.exe 31 PID 3036 wrote to memory of 2224 3036 spoolsv.exe 32 PID 3036 wrote to memory of 2224 3036 spoolsv.exe 32 PID 3036 wrote to memory of 2224 3036 spoolsv.exe 32 PID 3036 wrote to memory of 2224 3036 spoolsv.exe 32 PID 2224 wrote to memory of 2928 2224 svchost.exe 33 PID 2224 wrote to memory of 2928 2224 svchost.exe 33 PID 2224 wrote to memory of 2928 2224 svchost.exe 33 PID 2224 wrote to memory of 2928 2224 svchost.exe 33 PID 2264 wrote to memory of 2796 2264 explorer.exe 34 PID 2264 wrote to memory of 2796 2264 explorer.exe 34 PID 2264 wrote to memory of 2796 2264 explorer.exe 34 PID 2264 wrote to memory of 2796 2264 explorer.exe 34 PID 2224 wrote to memory of 2160 2224 svchost.exe 35 PID 2224 wrote to memory of 2160 2224 svchost.exe 35 PID 2224 wrote to memory of 2160 2224 svchost.exe 35 PID 2224 wrote to memory of 2160 2224 svchost.exe 35 PID 2224 wrote to memory of 1172 2224 svchost.exe 39 PID 2224 wrote to memory of 1172 2224 svchost.exe 39 PID 2224 wrote to memory of 1172 2224 svchost.exe 39 PID 2224 wrote to memory of 1172 2224 svchost.exe 39 PID 2224 wrote to memory of 1856 2224 svchost.exe 41 PID 2224 wrote to memory of 1856 2224 svchost.exe 41 PID 2224 wrote to memory of 1856 2224 svchost.exe 41 PID 2224 wrote to memory of 1856 2224 svchost.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe"C:\Users\Admin\AppData\Local\Temp\7ddf9357a84e919c258ee3433dbc1c86e4dfc35b4816cc05c4fb18beb20fe0bc.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:49 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2160
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:50 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1172
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:51 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1856
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2796
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5a1638c9ff519b2633da7641d1aec478e
SHA14e8a5ff530cca92de2fb652043166c93be7e8715
SHA25619f727ab0bd87cb2ece8c667541cf26b320b146afb477a46712ed25b310e95b7
SHA512cc884c0038892593d91fd300c5134cf0eedabe6e8961a6cd6edffb502230f0203ed86212feca9621ae42ed14bcb6643f5fcfe3d40fa07909738fd3081f400e19
-
Filesize
135KB
MD52b02a4ba40c59499f713570f11f523d7
SHA1b75166ac1f9e50b6704630b0315432cc5d65d671
SHA256cc7b7af8bcaa31a4dd780f944e053d16d27e7488ca2f9837b4351edbe01ed8bb
SHA5126cd9718b332dff29bf2b4bc087b7a59fb402918b2ec8a38414371019b64daf2223d261196f2df6ab6aed8be403e115450deddb4026284651e9053b0280d66939
-
Filesize
135KB
MD5433f7b32707543c8ebd198bb82b58cc1
SHA1bb530b7b169654936c45f44e904ed5a7830a46ea
SHA256cf8e8126ea4ad98825f72c8e867f1d4abd16367b15c7c30b9316beffce63091c
SHA5123c90133920dc874aec4f70d0c8c2ed89bd09abf5d98c337fc91e44ed7375438ea54b6ca4d60ae385e85feec55bf159fbf1111395522e294dbaf6b37deb958439