Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
e6c6100f9ee99a8d782b4b240ba20fa0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e6c6100f9ee99a8d782b4b240ba20fa0N.exe
Resource
win10v2004-20240802-en
General
-
Target
e6c6100f9ee99a8d782b4b240ba20fa0N.exe
-
Size
206KB
-
MD5
e6c6100f9ee99a8d782b4b240ba20fa0
-
SHA1
5ee1001e95ed35662c9caf7f9d9275fcf26efb23
-
SHA256
1975e84347e187b6dfecc3b35ae2a737036a71dbce2a3195a2bff2383f418e6d
-
SHA512
7aa54a8005d4d3ad8e5feace00fd412a2d54808538c924a365e390c6a2ff7b937e62ce7784743ccc046a8430c76a2f1dd125f995f2966c87ba1859ff20297f49
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdMssssssssssssg:/VqoCl/YgjxEufVU0TbTyDDalbR
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2408 explorer.exe 2784 spoolsv.exe 2752 svchost.exe 2596 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 2408 explorer.exe 2408 explorer.exe 2784 spoolsv.exe 2784 spoolsv.exe 2752 svchost.exe 2752 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe e6c6100f9ee99a8d782b4b240ba20fa0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6c6100f9ee99a8d782b4b240ba20fa0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2676 schtasks.exe 1452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2408 explorer.exe 2408 explorer.exe 2408 explorer.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2408 explorer.exe 2752 svchost.exe 2408 explorer.exe 2408 explorer.exe 2752 svchost.exe 2752 svchost.exe 2408 explorer.exe 2408 explorer.exe 2752 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2752 svchost.exe 2408 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 2408 explorer.exe 2408 explorer.exe 2784 spoolsv.exe 2784 spoolsv.exe 2752 svchost.exe 2752 svchost.exe 2596 spoolsv.exe 2596 spoolsv.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 628 wrote to memory of 2408 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 31 PID 628 wrote to memory of 2408 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 31 PID 628 wrote to memory of 2408 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 31 PID 628 wrote to memory of 2408 628 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 31 PID 2408 wrote to memory of 2784 2408 explorer.exe 32 PID 2408 wrote to memory of 2784 2408 explorer.exe 32 PID 2408 wrote to memory of 2784 2408 explorer.exe 32 PID 2408 wrote to memory of 2784 2408 explorer.exe 32 PID 2784 wrote to memory of 2752 2784 spoolsv.exe 33 PID 2784 wrote to memory of 2752 2784 spoolsv.exe 33 PID 2784 wrote to memory of 2752 2784 spoolsv.exe 33 PID 2784 wrote to memory of 2752 2784 spoolsv.exe 33 PID 2752 wrote to memory of 2596 2752 svchost.exe 34 PID 2752 wrote to memory of 2596 2752 svchost.exe 34 PID 2752 wrote to memory of 2596 2752 svchost.exe 34 PID 2752 wrote to memory of 2596 2752 svchost.exe 34 PID 2408 wrote to memory of 2548 2408 explorer.exe 35 PID 2408 wrote to memory of 2548 2408 explorer.exe 35 PID 2408 wrote to memory of 2548 2408 explorer.exe 35 PID 2408 wrote to memory of 2548 2408 explorer.exe 35 PID 2752 wrote to memory of 2676 2752 svchost.exe 36 PID 2752 wrote to memory of 2676 2752 svchost.exe 36 PID 2752 wrote to memory of 2676 2752 svchost.exe 36 PID 2752 wrote to memory of 2676 2752 svchost.exe 36 PID 2752 wrote to memory of 1452 2752 svchost.exe 39 PID 2752 wrote to memory of 1452 2752 svchost.exe 39 PID 2752 wrote to memory of 1452 2752 svchost.exe 39 PID 2752 wrote to memory of 1452 2752 svchost.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6c6100f9ee99a8d782b4b240ba20fa0N.exe"C:\Users\Admin\AppData\Local\Temp\e6c6100f9ee99a8d782b4b240ba20fa0N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:49 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2676
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:50 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1452
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2548
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5eed49994307db535713d103948d2489f
SHA166c2723969aad676178d1f493b33016cb94566ea
SHA256daa61f7f13e8500e80a440d52e343abcf645d935bc850386dcba8949daa00beb
SHA51283f6c0fa1625ca47c87b9bbcf031a8e14ba9c344568bc5333dc6923e867e81e3370c331140670572ec7ac729346be6d24162a0138656058fa78b0d40ec11185d
-
Filesize
206KB
MD5eead61cd89ddb34ef03e673579857111
SHA187519da141477ec9ecedca45271e5e1cf20a1f3e
SHA2569f1481affe536c97330f0d97317e0bfb62a2ff1a648df1cb87a2a03240f595e5
SHA512ee1a0b6db7e5ac8df49d0ed801ada0f72cd0a4ed669b823fd97b7c39637e5b9e85bc175b83f09a174b7fe24dc1a73362bbeb715cdf53a859031b21e03237362c
-
Filesize
206KB
MD51b14a1f67e92d415a2381da7a9567d3d
SHA1a527c3de2f81d2f350e069479b151d1968a0adc4
SHA256a9f438cf550142c8dabf1a024b984559050c6ef8868fef050b3a65e60b6e1958
SHA512d40461b988698ab18a79ff2e58894a227393218acbf665483657ddcfd9313145a100981c0768c92ef0f37f3832e59e798a25ad96c010213de9f35a001e0a5836