Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe
Resource
win10v2004-20240802-en
General
-
Target
65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe
-
Size
90KB
-
MD5
da85e435f12df2ed8021698ce78f9b70
-
SHA1
bba8120a2607f644c60dbc6cf4163b42f725c238
-
SHA256
65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840
-
SHA512
c6b13c7281acf4c9bc2faec07a88dfc23830a63b35779a85dc43c5a5d3e0ffc1c4b59e3f663eb8bf8122fb1d1189f1cc42536c6a99a5d69c0ab54b91aa9c5dfc
-
SSDEEP
1536:r1Sbpfv5DOWknf7LAQkhB5EQr5PqNzH3EEIMrAgx29E9zt7Hp4h+DGm3/7qq:IbpfhDOW7hBhr4pX5r9x29E9z5HpZDGu
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF Reader Launcher.exe COM7.EXE -
Executes dropped EXE 4 IoCs
pid Process 2300 ashcv.exe 2828 COM7.EXE 2752 ashcv.exe 2612 COM7.EXE -
Loads dropped DLL 8 IoCs
pid Process 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2828 COM7.EXE 2300 ashcv.exe 2300 ashcv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\COM_LOADER = "\\\\.\\F:\\Program Files\\PDF_Reader\\bin\\COM7.EXE" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ashcv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language COM7.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ashcv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language COM7.EXE -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2896 reg.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2300 ashcv.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2752 ashcv.exe 2612 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE 2828 COM7.EXE 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 2828 COM7.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2300 ashcv.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2300 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 28 PID 2416 wrote to memory of 2300 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 28 PID 2416 wrote to memory of 2300 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 28 PID 2416 wrote to memory of 2300 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 28 PID 2416 wrote to memory of 2828 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 29 PID 2416 wrote to memory of 2828 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 29 PID 2416 wrote to memory of 2828 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 29 PID 2416 wrote to memory of 2828 2416 65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe 29 PID 2828 wrote to memory of 2896 2828 COM7.EXE 30 PID 2828 wrote to memory of 2896 2828 COM7.EXE 30 PID 2828 wrote to memory of 2896 2828 COM7.EXE 30 PID 2828 wrote to memory of 2896 2828 COM7.EXE 30 PID 2828 wrote to memory of 2752 2828 COM7.EXE 34 PID 2828 wrote to memory of 2752 2828 COM7.EXE 34 PID 2828 wrote to memory of 2752 2828 COM7.EXE 34 PID 2828 wrote to memory of 2752 2828 COM7.EXE 34 PID 2300 wrote to memory of 2612 2300 ashcv.exe 35 PID 2300 wrote to memory of 2612 2300 ashcv.exe 35 PID 2300 wrote to memory of 2612 2300 ashcv.exe 35 PID 2300 wrote to memory of 2612 2300 ashcv.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe"C:\Users\Admin\AppData\Local\Temp\65b127d73ade41dfe0012ce9cc37ca549d12c7306eb61540d00fb973e4724840N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2612
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COM_LOADER /d "\\.\F:\Program Files\PDF_Reader\bin\COM7.EXE"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD525b6b0fbd3b05d43315edaf25351e989
SHA124f226baf42a78cdaf78619f7c58cb3cb19da56e
SHA2565b972c81667f114ed0672b23dc4d0d536ed224c4800427d69748a0dfaef167f5
SHA512970e972c1e90e0996f6ee11896b4600fd80de141377cf347802b2678d66c9553de7af15874c221d4a7df022dcbfecf86d91431895fab81e9e0e76f9c59c69f62
-
Filesize
90KB
MD5f0ce1e680faff28f012964a7815b12aa
SHA12efb56de6b415eab9372c7e63685deb6101b1c24
SHA256ba95b1e15eaffa7b47cfb78ef7bbbb4a3995587378bc6a9641c5646f21202089
SHA51256a30473bd0976e8cf88df4f8b8168ee892b68048444563d70424f3f050fd286231d15fda78872e1b047377cb89a9faa48ba9b2b806730ee7fdbc7a03e6d8529