Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
04/09/2024, 12:43
Static task
static1
Behavioral task
behavioral1
Sample
bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
Resource
win10v2004-20240802-en
General
-
Target
bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe
-
Size
1.6MB
-
MD5
6859839bca334b519de5bf66776171cb
-
SHA1
2d1428485997bb5e9f89735fe57ba8e83bde1df8
-
SHA256
bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d
-
SHA512
0a0c94371dc237dc2ff025ff72e91dd5e48aa440c5936c4798ed99c0dbcce08f784a71661c269bdffdc898fd89e25866be47a66e91c213ba5b743292aa865e3c
-
SSDEEP
24576:x1wQ2xJz6Mn2qMeqm3m+mBa+EGgwZc5W7qTBNiT8L+X+phmgJ7i:Lw1Jz6efR3m+MEGgSCBNiT86XKhmI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2760 obs-browser-page.exe 2168 obs-browser-page.exe -
resource yara_rule behavioral1/memory/2760-28-0x0000000180000000-0x0000000180066000-memory.dmp upx behavioral1/memory/2760-39-0x0000000180000000-0x0000000180066000-memory.dmp upx behavioral1/memory/2760-32-0x0000000180000000-0x0000000180066000-memory.dmp upx behavioral1/memory/2760-31-0x0000000180000000-0x0000000180066000-memory.dmp upx -
resource yara_rule behavioral1/files/0x000700000001934d-14.dat vmprotect behavioral1/memory/2760-24-0x000007FEF7660000-0x000007FEF7739000-memory.dmp vmprotect behavioral1/memory/2760-25-0x000007FEF7660000-0x000007FEF7739000-memory.dmp vmprotect behavioral1/memory/2760-51-0x000007FEF7660000-0x000007FEF7739000-memory.dmp vmprotect behavioral1/memory/2168-57-0x000007FEF77F0000-0x000007FEF78C9000-memory.dmp vmprotect behavioral1/memory/2168-58-0x000007FEF77F0000-0x000007FEF78C9000-memory.dmp vmprotect behavioral1/memory/2168-75-0x000007FEF77F0000-0x000007FEF78C9000-memory.dmp vmprotect -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2760 set thread context of 2908 2760 obs-browser-page.exe 35 PID 832 set thread context of 2288 832 svchost.exe 38 PID 2288 set thread context of 2924 2288 svchost.exe 39 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ svchost.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 3056 bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe 2760 obs-browser-page.exe 2908 svchost.exe 2908 svchost.exe 2168 obs-browser-page.exe 832 svchost.exe 832 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2924 dllhost.exe 2924 dllhost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe 2288 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2908 svchost.exe Token: SeTcbPrivilege 2908 svchost.exe Token: SeAuditPrivilege 832 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2760 wrote to memory of 2908 2760 obs-browser-page.exe 35 PID 2760 wrote to memory of 2908 2760 obs-browser-page.exe 35 PID 2760 wrote to memory of 2908 2760 obs-browser-page.exe 35 PID 2760 wrote to memory of 2908 2760 obs-browser-page.exe 35 PID 2760 wrote to memory of 2908 2760 obs-browser-page.exe 35 PID 2760 wrote to memory of 2908 2760 obs-browser-page.exe 35 PID 2188 wrote to memory of 2168 2188 taskeng.exe 37 PID 2188 wrote to memory of 2168 2188 taskeng.exe 37 PID 2188 wrote to memory of 2168 2188 taskeng.exe 37 PID 2168 wrote to memory of 832 2168 obs-browser-page.exe 13 PID 2168 wrote to memory of 832 2168 obs-browser-page.exe 13 PID 2168 wrote to memory of 832 2168 obs-browser-page.exe 13 PID 832 wrote to memory of 2288 832 svchost.exe 38 PID 832 wrote to memory of 2288 832 svchost.exe 38 PID 832 wrote to memory of 2288 832 svchost.exe 38 PID 832 wrote to memory of 2288 832 svchost.exe 38 PID 832 wrote to memory of 2288 832 svchost.exe 38 PID 832 wrote to memory of 2288 832 svchost.exe 38 PID 2288 wrote to memory of 2924 2288 svchost.exe 39 PID 2288 wrote to memory of 2924 2288 svchost.exe 39 PID 2288 wrote to memory of 2924 2288 svchost.exe 39 PID 2288 wrote to memory of 2924 2288 svchost.exe 39 PID 2288 wrote to memory of 2924 2288 svchost.exe 39 PID 2288 wrote to memory of 2924 2288 svchost.exe 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\taskeng.exetaskeng.exe {4FFF4EE4-4F95-46FD-89CD-33B656C77016} S-1-5-18:NT AUTHORITY\System:Service:2⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\WinDefScan\obs-browser-page.exeC:\Windows\system32\WinDefScan\obs-browser-page.exe -svc3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924
-
-
-
C:\Users\Admin\AppData\Local\Temp\bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe"C:\Users\Admin\AppData\Local\Temp\bc4156ed6a3c7abf320866976da3f6229d3f30d3d59695e24b522c51b856a90d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
C:\Windows\system32\cmd.execmd /c copy C:\Windows\temp\259458772 C:\obs-browser-page.exe1⤵PID:2768
-
C:\Windows\system32\cmd.execmd /c copy C:\Windows\temp\259458881 C:\libcef.dll1⤵PID:2828
-
C:\Windows\system32\cmd.execmd /c copy C:\Windows\temp\259458990 C:\libcef.dat1⤵PID:2680
-
C:\obs-browser-page.exeC:\obs-browser-page.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -Install2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD5c89b9fb97d02ac079a45725b3dfb54d4
SHA1773d823a3304dad9a9e39e2227fba116370f4af7
SHA256ec605cc14c60e30682e84ec87d19034f7bd1399025ca11fbf3c4adeed85fadf0
SHA512495381374990c8613f4d97efb30f561e4b4d3a54794e93ea373695df70556e70ac7883f77dc2c7cee2a681d71f07a90b092e1394bc15f8329eda9923bb5dfb5e
-
Filesize
579KB
MD5e40e24cbe6cface80087910c49344ab9
SHA160e4fff4073030d0fa7eadf5ce718e4272545043
SHA2561be1771b0c93e1a4c7c97e95dc18aad5842c9046bd75f4794f2439ffd07545b6
SHA5120ef03f1d6a226d5fb1ca026fefb50c04ef510f8fdec2743b5490ee55905bb318f47efd1d8b53614ec907c6b60150fe23d840bd62519abcfb81f94895c74e5763
-
Filesize
190KB
MD585ed07c782f6eef1c9ee20bdf1b48dfd
SHA1d47758ab5d1d832703ed95e366b2662865457808
SHA25604750a2e16673314deb356d2c0209356eff1711c7eb3e69f764528a4ab742318
SHA512fb36eb0d903d63fed04029675eee8cb0c41946e72ee4272ccf127801bb36d72a909997909856f385afacbc42c4cfe745f9597f0e1b92496943dfb58c45a0824f