Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1563s -
max time network
1563s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 17:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Prueba1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
1800 seconds
Behavioral task
behavioral2
Sample
Prueba1.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
23 signatures
1800 seconds
General
-
Target
Prueba1.exe
-
Size
227KB
-
MD5
4339cc7cb7c8df84a3a1bbd3cba4cf17
-
SHA1
b041a7ac27006a3d204726cecef465a34f06a3f3
-
SHA256
e3ebbde456c0c20d1436661909137cd38ce6be51cf78e7cb0d2944b124bed326
-
SHA512
3e795d43daa63db9435ab3d03a6800719f25b1f8311188148c5ac51eea1835ca76a6fb10040559271e42de7b3d5e18dda89a572fb975ee60f6a90d1575a85f31
-
SSDEEP
3072:W+PSS5WcZM55FjBcmnE2V/anyoQI5swjEG6vpRcuKtK41rL2JtjwKk:tPSPX5FWhMwj16xrcKaLWjwKk
Score
6/10
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 raw.githubusercontent.com 4 raw.githubusercontent.com -
Modifies registry class 22 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\678949.vbs" reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\282419.vbs" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\ms-settings\Shell reg.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2244 taskmgr.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe 2244 taskmgr.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2016 2344 Prueba1.exe 32 PID 2344 wrote to memory of 2016 2344 Prueba1.exe 32 PID 2344 wrote to memory of 2016 2344 Prueba1.exe 32 PID 2016 wrote to memory of 2164 2016 cmd.exe 34 PID 2016 wrote to memory of 2164 2016 cmd.exe 34 PID 2016 wrote to memory of 2164 2016 cmd.exe 34 PID 2344 wrote to memory of 2120 2344 Prueba1.exe 35 PID 2344 wrote to memory of 2120 2344 Prueba1.exe 35 PID 2344 wrote to memory of 2120 2344 Prueba1.exe 35 PID 2120 wrote to memory of 2652 2120 cmd.exe 37 PID 2120 wrote to memory of 2652 2120 cmd.exe 37 PID 2120 wrote to memory of 2652 2120 cmd.exe 37 PID 2120 wrote to memory of 2692 2120 cmd.exe 38 PID 2120 wrote to memory of 2692 2120 cmd.exe 38 PID 2120 wrote to memory of 2692 2120 cmd.exe 38 PID 2344 wrote to memory of 2784 2344 Prueba1.exe 39 PID 2344 wrote to memory of 2784 2344 Prueba1.exe 39 PID 2344 wrote to memory of 2784 2344 Prueba1.exe 39 PID 2784 wrote to memory of 2860 2784 cmd.exe 41 PID 2784 wrote to memory of 2860 2784 cmd.exe 41 PID 2784 wrote to memory of 2860 2784 cmd.exe 41 PID 2344 wrote to memory of 2700 2344 Prueba1.exe 42 PID 2344 wrote to memory of 2700 2344 Prueba1.exe 42 PID 2344 wrote to memory of 2700 2344 Prueba1.exe 42 PID 2344 wrote to memory of 2172 2344 Prueba1.exe 44 PID 2344 wrote to memory of 2172 2344 Prueba1.exe 44 PID 2344 wrote to memory of 2172 2344 Prueba1.exe 44 PID 2172 wrote to memory of 2664 2172 cmd.exe 46 PID 2172 wrote to memory of 2664 2172 cmd.exe 46 PID 2172 wrote to memory of 2664 2172 cmd.exe 46 PID 2344 wrote to memory of 2796 2344 Prueba1.exe 48 PID 2344 wrote to memory of 2796 2344 Prueba1.exe 48 PID 2344 wrote to memory of 2796 2344 Prueba1.exe 48 PID 2796 wrote to memory of 1380 2796 cmd.exe 50 PID 2796 wrote to memory of 1380 2796 cmd.exe 50 PID 2796 wrote to memory of 1380 2796 cmd.exe 50 PID 2344 wrote to memory of 2288 2344 Prueba1.exe 51 PID 2344 wrote to memory of 2288 2344 Prueba1.exe 51 PID 2344 wrote to memory of 2288 2344 Prueba1.exe 51 PID 2288 wrote to memory of 2440 2288 cmd.exe 53 PID 2288 wrote to memory of 2440 2288 cmd.exe 53 PID 2288 wrote to memory of 2440 2288 cmd.exe 53 PID 2288 wrote to memory of 2052 2288 cmd.exe 54 PID 2288 wrote to memory of 2052 2288 cmd.exe 54 PID 2288 wrote to memory of 2052 2288 cmd.exe 54 PID 2344 wrote to memory of 1600 2344 Prueba1.exe 55 PID 2344 wrote to memory of 1600 2344 Prueba1.exe 55 PID 2344 wrote to memory of 1600 2344 Prueba1.exe 55 PID 1600 wrote to memory of 2436 1600 cmd.exe 57 PID 1600 wrote to memory of 2436 1600 cmd.exe 57 PID 1600 wrote to memory of 2436 1600 cmd.exe 57 PID 2344 wrote to memory of 548 2344 Prueba1.exe 58 PID 2344 wrote to memory of 548 2344 Prueba1.exe 58 PID 2344 wrote to memory of 548 2344 Prueba1.exe 58 PID 2344 wrote to memory of 1808 2344 Prueba1.exe 60 PID 2344 wrote to memory of 1808 2344 Prueba1.exe 60 PID 2344 wrote to memory of 1808 2344 Prueba1.exe 60 PID 1808 wrote to memory of 1416 1808 cmd.exe 62 PID 1808 wrote to memory of 1416 1808 cmd.exe 62 PID 1808 wrote to memory of 1416 1808 cmd.exe 62
Processes
-
C:\Users\Admin\AppData\Local\Temp\Prueba1.exe"C:\Users\Admin\AppData\Local\Temp\Prueba1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵PID:2164
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\678949.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\678949.vbs" /f3⤵
- Modifies registry class
PID:2652
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f3⤵
- Modifies registry class
PID:2692
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe3⤵PID:2860
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\678949.vbs2⤵PID:2700
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
- Modifies registry class
PID:2664
-
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵PID:1380
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\282419.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\282419.vbs" /f3⤵
- Modifies registry class
PID:2440
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f3⤵
- Modifies registry class
PID:2052
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe3⤵PID:2436
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\282419.vbs2⤵PID:548
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
- Modifies registry class
PID:1416
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229B
MD577c4e406f1f79c4f4616aeeb5983cede
SHA14485a37a9931b17381f48e219d465f09eb44a6be
SHA256ebc11d37c3a3e32200c28cbdaef14c05acb27fd032d6d520b8f242cbe6178b17
SHA512063d4503b431bbc2ad4ac6342d4b86ee7c9006a299bc2f0a71159ec2e180cf84edad7d654b08e0a6a3763eed5bf9a74a2ce948d5c649876ab32ecea378d1de21
-
Filesize
125B
MD58b4ed5c47fdddbeba260ef11cfca88c6
SHA1868f11f8ed78ebe871f9da182d053f349834b017
SHA256170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5
SHA51287e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b