Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2024, 14:07

General

  • Target

    3ac20f08ced73a1003ed6ca421fabd1b98914547141e86bb3ab599f5578f2aefN.exe

  • Size

    2.3MB

  • MD5

    8d33dd25fd7e3a34c2ca9541f00c5740

  • SHA1

    709d58baeea34016d2d066a31dbef3bcd7e00f2c

  • SHA256

    3ac20f08ced73a1003ed6ca421fabd1b98914547141e86bb3ab599f5578f2aef

  • SHA512

    1f5b206845305c024ae5712b8bcc353193abb14ef99231eddf94584563cfe448ed032bcf8aa6823015e6533de23c17da72acfa6eb6d2e68f952e080bb882a501

  • SSDEEP

    49152:g7q7yD727d7A7yD7q7yD72747q7yD7A7yD7q7yDF:g2mD65MmD2mD6c2mDMmD2mDF

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ac20f08ced73a1003ed6ca421fabd1b98914547141e86bb3ab599f5578f2aefN.exe
    "C:\Users\Admin\AppData\Local\Temp\3ac20f08ced73a1003ed6ca421fabd1b98914547141e86bb3ab599f5578f2aefN.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • System Location Discovery: System Language Discovery
      • Modifies registry key
      PID:2248
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2752
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2800
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2660
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              • System Location Discovery: System Language Discovery
              PID:1144
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2708
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:956
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2108
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1392
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2592
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2116
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1172
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2768
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    4.7MB

    MD5

    bab31ea8613dfe70a03cd43bf5be8c06

    SHA1

    1b9336c22c37862919661ffaff308588a88db3d1

    SHA256

    62149127f9cc04b0d1ff3b0368c9792871faf492c9cc5039d537093ea026a005

    SHA512

    89756f990d252c575c0601532f02cdf0bd37cc3244c942636b43ff1f6c3506049bbfa77c0fca0fede39db676367bdaeb50319a9b03157ddfacb590f5a501b07d

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    7.1MB

    MD5

    a7edaad01739f16e5c211c639e0aa77d

    SHA1

    bfcdf3fd901b92ef0affc08284a7833d9f025655

    SHA256

    99e3a2994a7328984ce1e69d3623e10cdf8a3cf5f79bec921b13bdaa202679e3

    SHA512

    8742b09481a618656f4859ec7ccf2b1efb3abcb307b819e37f5d235f25a44e44cd1b50897726a9e80e045cc22b4e664b7de21d52f9ebb3e8948a15e6faacbb68

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    9.4MB

    MD5

    82eef7d0a368c290001d4f7e83d203e3

    SHA1

    36038a13d009b55c519852363fef665eccc5a407

    SHA256

    d9d6b09b2591ded5f4a4bf3a16231671fcb6f8296376fde71265f593bca994d0

    SHA512

    e8590dbaa5cb604c3003d72083aa7e37ab80480fadd46eab175915751a34267b6c0548faefd071f37822441a08ee3bf285f73ae5e8527bcd7d8ca941554690c1

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    11.7MB

    MD5

    1bdc4ff8005f51991324e1c778b40fa0

    SHA1

    1c98dc33f55d7b829ee0e790409303f651d06a96

    SHA256

    7ac8280a157e86a962cc0e547eac26a925a9c9924393d4251fee39a59ce676a9

    SHA512

    3c3408861bf97c01cec47b5dfd9c759e1e4b135404313b25aa0499f982fd2cbfe57eb536c474794232432778c2a75ec6f6dd39700e0a4ebe3c83b3547f30da03

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    14.1MB

    MD5

    0b83356c74d70d2af1338504760a7546

    SHA1

    d23603bd042ad167c3a986c46cdb0ab4e9318bb2

    SHA256

    38030aca2c675d82837936518b510b2727802a72c048f790866feed6632f99a9

    SHA512

    ceb5f3cb20bdeb13a84155ae5bb26376c73f545ba8a35a62ddd11eb8e89519bb4a1e7178200b723d86608803fb406a1fbc34d91a91d960aee22a707b1c29188c

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    71afe05995ab9855480e1b5b0cbd516f

    SHA1

    4c96a6537720ec4770ac3cd1e59a914f007fe3ba

    SHA256

    8bdfb6dfdb2722c9f23b40d28f507f897f113c3e74f032f2944580b771ae9640

    SHA512

    d5579eedf848f4d689394ead51a70e16db07241920eccbdc18b572ec46383eb7050ee06339cacf8113d59344e50aef0f202197517a03090cf70e2cbf30770ba6

  • C:\Windows\hosts.exe

    Filesize

    2.3MB

    MD5

    073d37e824988d6be5757dce84bb2cd2

    SHA1

    5d18f82a9d94ced460598d5277980bba20a837d2

    SHA256

    5b3fcfa5a388861e52b5dfd4609cd16ef71d1d9e14b8baefc4622307b1ba02ab

    SHA512

    f56d3f687c98f8370a6df41f67d9c15996b7faf3627c6510adceef361bc424e6256b1c8c981ebd605473dcb7f9c8c2312c8e2b6ef6b27b62b966377ce781e01a

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    2.3MB

    MD5

    9918840c0b649670bac03830548b4e5f

    SHA1

    e4bf348976008b1e44a268525bed866ee5d474b8

    SHA256

    2d96360d04a9f47c7b5c222ee8b8de272b44ec034b60f3aa9c82e6afa8dd4855

    SHA512

    50f485710aa0da5a96860bc2a4f80a605abb4acb5116b78f6fa2a74d85caf70da8d719fa843606fcd7c7ad9db2039ca86497edf906af04b6b8ab51a57ff0977f

  • memory/2828-78-0x00000000024B0000-0x00000000025B0000-memory.dmp

    Filesize

    1024KB