Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 14:37

General

  • Target

    e7595cf73c6614d5c2d1bb3131002f9140340c04e1bc5aac8b5f9313de8a4624N.exe

  • Size

    4.1MB

  • MD5

    2fa4f5089d443ac8c9ff22132a8a25f0

  • SHA1

    c01473f2e14dfba1340e813f1983293a9a129e41

  • SHA256

    e7595cf73c6614d5c2d1bb3131002f9140340c04e1bc5aac8b5f9313de8a4624

  • SHA512

    ab3f4d8ab7e9eb561253c2612caf116f596d17da83752926f474910074b4ebc37b08b37d2e299279c576d7d48864315c0932390310a508ea2a6b3550bcfe1ce8

  • SSDEEP

    98304:g2mDMmD2mDrc2mDMmD2mDdMmD2mDAc2mDMmD2mDrcG:g2mDMmD2mDrc2mDMmD2mDdMmD2mDAc2w

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7595cf73c6614d5c2d1bb3131002f9140340c04e1bc5aac8b5f9313de8a4624N.exe
    "C:\Users\Admin\AppData\Local\Temp\e7595cf73c6614d5c2d1bb3131002f9140340c04e1bc5aac8b5f9313de8a4624N.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • System Location Discovery: System Language Discovery
      • Modifies registry key
      PID:2944
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2108
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2324
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1008
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1352
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              • System Location Discovery: System Language Discovery
              PID:1732
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:900
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1924
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1340
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2356
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2532
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:772
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:864
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2552
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    8.3MB

    MD5

    7b5dfe7d38201a3f166954c4d6640fe4

    SHA1

    c9565f6c5491705a8c8ca6fe4ae29fed9642d37f

    SHA256

    cf290dafd9f22b509aba7955bd787bd2e725ffcff14cddc04f6d9c53a4ce3af6

    SHA512

    1dc530ad4f323de36f23753567e2f601dcc1dc9ee27586a44fad0cf2f5c26939a6880aec57646cc4c931b08a20f8f637015e4aec28e50ed1a164c2aa0abc7b06

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    12.5MB

    MD5

    f46c69a589caf98e6e2b39c50ec321be

    SHA1

    9daeb294a3f6698ef466776ae67c2c3f254d5b95

    SHA256

    f9198f91bfb7cd6143152bb7a366f94093f59a5bb6296659918d5dda23f85ab1

    SHA512

    023da49866064f92ad7b138a1dbbf4e4a78defa514f5cca935ff77b4c11a66873396cfca53731f01f38cb7804a2e843ddf2adf35b7bd9191090b6348bfafb878

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    16.6MB

    MD5

    2aa54737f720248da7ea3d02ac799804

    SHA1

    dec0decf8adaf2f269a3fc3905124342c110850e

    SHA256

    9c8d7f5d9ceb6e427f28ee81a8f3177062da2909b720114545b6b13a822d9d67

    SHA512

    72b6913490c78cec449f5fe75ac5f334a5b3bfe65be30d725e85a31de57c306c14f676e6819e35f1018394225316188abb2d312ca97d2f64c2eb2d4b60e90a7c

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    20.8MB

    MD5

    e58cff815cba2eb7cad7250dc9c0329c

    SHA1

    951afe6b7525f5a1ca087afa2c76c8248f283364

    SHA256

    b57fb743091206716d3c5785f32ba51fefeb10b7fb12a9209470314de314906a

    SHA512

    211fa56ab88e68fc7e9799d4fe7e6cc8b6d05c7a88405d5c40df9b003a65c96e65179b00217c487a76f8c9529d2e7bcec0f44bb3e3a532b36bfbe86d60400fc5

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    24.9MB

    MD5

    f589d068bdbdc3c48510bc52386c146a

    SHA1

    7ab26531ff985bdea7d8817130c1c07a106f900e

    SHA256

    c339a5598650d2ca9bb65574e20e1d3111aa84151a8439ead36fc882c6f07913

    SHA512

    befa3f9f9bd91eb168103097d0d3435806e3586c230c26bc64fe4a7fb480b6a284308381e5ea73f0b02440cb5e532455dc65b91e5b182d895a9efb41f79c92dc

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    882dba4bc3e5708e0f372f37721122c2

    SHA1

    6e6809cf91aa2bf360f2a04b83a7946137ed73b3

    SHA256

    2daa664ad0ca2ff998dea2dd7c1960b96538b94b2eddc1e57370e67e422edf4b

    SHA512

    c6602f05bb176647aca8d5f88d1b6b433b2b15c63bb4ed445a6ed5038a4dd55a715482531fb08cae4b01c1958cfaabe9fd4b44e5698618634c398c7e9e5fc7ec

  • C:\Windows\hosts.exe

    Filesize

    4.1MB

    MD5

    069c39b114d359c5c17e4980b78d193d

    SHA1

    e6204a57fd525d3fceff80aefe9d5a1a82e5c4a9

    SHA256

    9e24de9430035c400a17a003ed4f8a4c305b896e737e190fb4aff346b62e740c

    SHA512

    77df162119f24a3341dddc6f4b92b14df3d67e9d2f7d74474fa99df7570f0edaad8a645b2d7fb6b093d7be60daba6431717de6d846c9967a802a2d498888d7b4

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    4.1MB

    MD5

    8cbbc82b29d463d27b82ee4f0277e268

    SHA1

    eb3c59775aa3f3a8107923c5b522d319c713ff61

    SHA256

    437f00b8496b743230c3374ee1617f470f9816244e1c2fcbc26ca5c3fe30cedc

    SHA512

    053c19f3fdf2b77ef1675d19f0b6d9ab486d0c3738f6c42d42a77b267d67df32caad9bd577eb34528c485121f1808313b2d718b888c4e62add8ae050246fdb75