Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
58s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
21/09/2024, 17:09
General
-
Target
NeverLose.exe
-
Size
2.4MB
-
MD5
4a20d992a3e773d0fc70d29d27217fe5
-
SHA1
237ea4f9f0d167d3161ac8cba193b2e79b7cdd84
-
SHA256
a69f30c1b304b7f6c85facbbd598f1ebdfdc967488f1bf0617b3bddc3a3a4e86
-
SHA512
7bd12dbb3b051ee6b47ab734047ee06929ec5cbdda6c5be47513644257e75b10a6414e11503a7323ad3851a71c86932803e3d691e7d8f0cedb9625830ea0d270
-
SSDEEP
49152:tBELVoj3mruOsvEsgZpfyECvOhsX7/iEuHTClwGe:nQI0zLhpfTCWhsL/iEMUu
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NeverLose.exe"C:\Users\Admin\AppData\Local\Temp\NeverLose.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\agentMonitornetcommon\GBi0Q8YazuDC5WsFvOE.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\agentMonitornetcommon\g9S8CVbETtCg5QN5yxxbdptY4CtSRTw.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\agentMonitornetcommon\Msfontruntime.exe"C:\agentMonitornetcommon/Msfontruntime.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qlqmchcg\qlqmchcg.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAE.tmp" "c:\Windows\System32\CSC69D58C46C692493CB0AD28F9B1B9E57C.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hKniAGqDE1.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Default User\dllhost.exe"C:\Users\Default User\dllhost.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ar6wdwHCe.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Users\Default User\dllhost.exe"C:\Users\Default User\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5nOOmGNqzh.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Default User\dllhost.exe"C:\Users\Default User\dllhost.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KU0xjXjpGp.bat"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Users\Default User\dllhost.exe"C:\Users\Default User\dllhost.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KvMN3vAFGm.bat"13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\agentMonitornetcommon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\agentMonitornetcommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\agentMonitornetcommon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsfontruntimeM" /sc MINUTE /mo 12 /tr "'C:\agentMonitornetcommon\Msfontruntime.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Msfontruntime" /sc ONLOGON /tr "'C:\agentMonitornetcommon\Msfontruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsfontruntimeM" /sc MINUTE /mo 6 /tr "'C:\agentMonitornetcommon\Msfontruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161B
MD5825a7126fdcecdc9ea0ec936f40631f5
SHA1d73ff94f7f222c73afecc826ca46bf95ca8e38c5
SHA2567bbcfbf58b1af85f67fa89b13ca2c17750275efe93353589df20ef536140ded4
SHA512fa1b5227ec2335dfd15af5c551564441b1654963dfac5397653db0bb276f0898c383d17a0d541f1054642b0e6ce15c795166f805ee8bdd398f1c42052a91856c
-
Filesize
209B
MD58f00b20e608a813916aa420d5dc098a8
SHA1c2a89f20f580d8ced1c7dcc550699fddf3b08da3
SHA256b0405631e09b8e1ac83c58b3ede77a23ea16802ecd8b93adbc3fb2edd64f5ea1
SHA5127f8a8365c1f2404e6f6ea401989decf86172c4a24d714e790dbcdede8231eb71d51d933d0fb8251f33b9195a925660036be910f4dd46dcb59abdd98c06d0e1e2
-
Filesize
209B
MD5d7938ce67dd94f376976cab40771047e
SHA15491b776076378f46dbe9a2dc6b6f4666ee5adfa
SHA2565ebe1032cd0c1523b25b900fb5f5c50385fa01e049b64dff049932d352646173
SHA51290fcd6185641a36f910ee587d8dc3f70dd0557a00558237097aaba636d6d85960720b83d85f1f45bd87f15c6a29e4b2cbaab5240157af83363625750dfcb4d82
-
Filesize
209B
MD5ca23b76240ac3b07c88f43e73af36d11
SHA1da0cc8c7aa1ee374d493da043a572584caf837c9
SHA2565d83c7b9e6b03758fbf7d3297cf28e0bd3d6e4e8ef6342949599500fa7949d99
SHA512ac58b7ccc231c919a655a5633054c0e1c25a289b6437a2dde2c79bc2d83d974333bdff8d77f814d8194b8f16afe4fbe18a89a8e1fba2dba08e67cfd0f3cd9063
-
Filesize
1KB
MD55d21cb2637fcc06ef56ebb530c530d2f
SHA193f0a3418493ee18685f0385e9136d613421fd4c
SHA2569a1c1fe2aee927a3a56d9149bd82216d5b90af23e6ffe0ed0c31244ed6880349
SHA512e109e62e0069597fda085d5fff0884b90fbefc7ec5eb5d4143ddc74e0ccb37d03466b9b062a12e3764285eafe23c25ebf3fc4e031f96de9fb59ca2fdd4a03d36
-
Filesize
161B
MD5a8479887cb03f7fdc097c4fcfd27dec6
SHA1f9500cf6e72f605ad80f52f0c10ffa139bff0226
SHA2560ce72d4c85018e8453825bc1913d362069089799cda74e04389127370f7f6171
SHA512145729de416ad741d03de09a1bc11abf5e0e4d381a86851866262d0d1d27cf91505c0ad3a32a46f0afe02ad7abe31eab75e45b4d0ee8626ba50aa2dfe86bf872
-
Filesize
231B
MD5e9836fb94a627362459e478f344fe010
SHA1ce16cdd9513923ac775a7498e4548d4a66bcef2c
SHA256fe4eda0eca7f098fe7ad5ce5a5e8f68d8735e24e93654fb61e3187d6e6207235
SHA512f589c484cea94694a9405a3cd49111671ba479f526a9068d46c30f59dd1f813b85eb08c1fb76d39ff4d268ee94da307b4fa70afe3454faa062ddaa71ad7e7f1b
-
Filesize
82B
MD58beb041aab9fe0aa4f76082b7329a1a5
SHA16c1dd365d03640042ff51a2a3ada9a764706efba
SHA2564504697922de405075ca52ec9d6c636ad153e3cd06b1ad1ae33a9f5e6edb2646
SHA512286a95f6182408207e0db553ee3b5ab67ff60d5238984db49abe0a4497ee0fdf9c4210d2adfb5a1257dcdedabff0b067a8bee27f1e581a02364f9e8fd6bda7e6
-
Filesize
365B
MD583f99d454f3ee4351efc0eaf1196605a
SHA1e24b86abc213944412d604dfb18aa50688bf1b6a
SHA256454a519b15e5005517d0d14b034abc8efce70355a8e4a2b788c6744eb9510b2c
SHA512c5de1b38068ee7c2482f411327c63a8b4683e967f266337857308b7027d1999c4ec7cb7249c4e06ad7e3401654b6d0b8bedb7daa9caeec75b9e0ca47d4f6840d
-
Filesize
235B
MD58fc283a225b2da402a59ef116353c839
SHA1535f267461249bb3aa940f817ada4d243b842652
SHA256b153f88eeecc4f80b9264a3fea5858e47091252c29d12cc8622951edfb26a272
SHA512a50cc87321f88abec2626c6b6cca0b121a5bc61349f74066eceb2fff31c8fb06955c20dbe3c971536beefab14b983894c9ed5a51e1238567a188ace669523ee2
-
Filesize
1KB
MD5028d4cd290ab6fe13d6fecce144a32cc
SHA1e1d9531cb2e6bc9cab285b1f19e5d627257a3394
SHA2563f42f68eb3df49cf836fbb0019b8206af735e22f3d528e7b122fa9b2541fdde3
SHA5122f99d37a56444831298f8efaef425e5dadec938ac459bfc0cdaf3708ef8662f12bd8d687a58fc1dd6bbdac6c806214b65a21489a24d3160c1e8575968e3caa6e
-
Filesize
1.8MB
MD5769730d9ed728056adc3c69648deae26
SHA16c0a76de7715745eb3ca344d6ad5665c66f10ace
SHA256c4f58fcf47c8897c4e3fe97b40c8ae6e3093242d37eecc325f5e89e1f7f1ca89
SHA5129124c43ff1df0b56bfe9c1211abe997ce83bc4941546fd48c26414e43ec9117a2f009c7290019579fc09726cb93c78de90aa4d3589222a105985f287c28116ab
-
Filesize
1.9MB
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB