Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 07:56
Static task
static1
Behavioral task
behavioral1
Sample
b3e33c93cefc11619de42b3876063480N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b3e33c93cefc11619de42b3876063480N.exe
Resource
win10v2004-20240910-en
General
-
Target
b3e33c93cefc11619de42b3876063480N.exe
-
Size
3.1MB
-
MD5
b3e33c93cefc11619de42b3876063480
-
SHA1
7c5b487e67aa16aae375b107017a9b6b52547281
-
SHA256
e767398f9d479aaafbb817a8b3584be495e94efec64998afa9337c43ea71ddc0
-
SHA512
abe38e47abc4e9256791be87f659b0d0137fe2ebd21248a4d18da3994af65c1c0c2b690461b795c3a9bdf3b8303bb6d765390a2bd990ebc0ffeadbbe3b132729
-
SSDEEP
49152:+UJ6ZNXox4SgJhBsfHJq/nCFT4Mv0Pt97R:+tR4xGnCtvw9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe, cmd.exe /c start c:\\windows\\wininit.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wininit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe, cmd.exe /c start c:\\windows\\wininit.exe" wininit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wininit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b3e33c93cefc11619de42b3876063480N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b3e33c93cefc11619de42b3876063480N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b3e33c93cefc11619de42b3876063480N.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 2 IoCs
pid Process 2740 wininit.exe 2716 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2708 b3e33c93cefc11619de42b3876063480N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b3e33c93cefc11619de42b3876063480N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b3e33c93cefc11619de42b3876063480N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created \??\c:\windows\wininit.exe b3e33c93cefc11619de42b3876063480N.exe File opened for modification \??\c:\windows\wininit.exe b3e33c93cefc11619de42b3876063480N.exe File opened for modification \??\c:\windows\RCXE495.tmp b3e33c93cefc11619de42b3876063480N.exe File opened for modification \??\c:\windows\wininit.exe wininit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3e33c93cefc11619de42b3876063480N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2708 b3e33c93cefc11619de42b3876063480N.exe 2708 b3e33c93cefc11619de42b3876063480N.exe 2740 wininit.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2740 wininit.exe 2716 svchost.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2740 wininit.exe 2716 svchost.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2740 wininit.exe 2716 svchost.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2716 svchost.exe 2740 wininit.exe 2740 wininit.exe 2716 svchost.exe 2716 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2740 wininit.exe 2716 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2740 wininit.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2740 2708 b3e33c93cefc11619de42b3876063480N.exe 31 PID 2708 wrote to memory of 2740 2708 b3e33c93cefc11619de42b3876063480N.exe 31 PID 2708 wrote to memory of 2740 2708 b3e33c93cefc11619de42b3876063480N.exe 31 PID 2708 wrote to memory of 2740 2708 b3e33c93cefc11619de42b3876063480N.exe 31 PID 2708 wrote to memory of 2716 2708 b3e33c93cefc11619de42b3876063480N.exe 32 PID 2708 wrote to memory of 2716 2708 b3e33c93cefc11619de42b3876063480N.exe 32 PID 2708 wrote to memory of 2716 2708 b3e33c93cefc11619de42b3876063480N.exe 32 PID 2708 wrote to memory of 2716 2708 b3e33c93cefc11619de42b3876063480N.exe 32 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b3e33c93cefc11619de42b3876063480N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b3e33c93cefc11619de42b3876063480N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b3e33c93cefc11619de42b3876063480N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e33c93cefc11619de42b3876063480N.exe"C:\Users\Admin\AppData\Local\Temp\b3e33c93cefc11619de42b3876063480N.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2708 -
\??\c:\windows\wininit.exec:\windows\wininit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2740
-
-
\??\c:\users\admin\appdata\local\svchost.exec:\users\admin\appdata\local\svchost.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5ac514b7f272377ad36f233e0e2c2a08f
SHA179ab34745da9261e0d213b1190d16ab93f7d4802
SHA25656cdc38e50cc6fadd4a8b4a35c3ec1adc956f00d3aeeb1b2decb3990bc3a5010
SHA51224c323d7a199f3ed30531d6d93e0c25c5b6e2dbea84667963853e3fd9028786f647dac3d61b76b2b574016f556320e814e40008776488e6cd47a4dfab1225158
-
Filesize
3.1MB
MD5b3e33c93cefc11619de42b3876063480
SHA17c5b487e67aa16aae375b107017a9b6b52547281
SHA256e767398f9d479aaafbb817a8b3584be495e94efec64998afa9337c43ea71ddc0
SHA512abe38e47abc4e9256791be87f659b0d0137fe2ebd21248a4d18da3994af65c1c0c2b690461b795c3a9bdf3b8303bb6d765390a2bd990ebc0ffeadbbe3b132729