Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    127s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2024, 23:19

General

  • Target

    705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe

  • Size

    93KB

  • MD5

    995b8f8f204269a5ec58200abb269e4a

  • SHA1

    0ac126df1e7c26da9ef23ab02adf7de27fa11b1f

  • SHA256

    705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2

  • SHA512

    73dfe7815eb43f07770f0beae1442d6b437acee6a8945c5ba0d84ab6a7db6ce223c7878fc275adf0cf99990c0bfbe3db9d431712f8fbe025005b0d2940930005

  • SSDEEP

    1536:v7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf0xn:Dq6+ouCpk2mpcWJ0r+QNTBf0

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables Task Manager via registry modification
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 5 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe
    "C:\Users\Admin\AppData\Local\Temp\705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\65C5.tmp\65C6.tmp\65C7.bat C:\Users\Admin\AppData\Local\Temp\705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\system32\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2872
      • C:\Windows\system32\reg.exe
        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" /v Wallpaper /d "C:\ProgramData\WindowsCache\wall.png" /f
        3⤵
          PID:2732
        • C:\Windows\system32\reg.exe
          reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /d "C:\ProgramData\WindowsCache\wall.png" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:2484
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe, C:\ProgramData\WindowsCache\ir.exe" /f
          3⤵
          • Modifies WinLogon for persistence
          PID:2792
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im explorer.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2836
        • C:\Windows\system32\timeout.exe
          timeout /nobreak /t 1
          3⤵
          • Delays execution with timeout.exe
          PID:2656
        • C:\Windows\explorer.exe
          explorer.exe
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\65C5.tmp\65C6.tmp\65C7.bat

      Filesize

      1KB

      MD5

      ba97708785cba1962c39d0ae8e690258

      SHA1

      21caf881a1e5fe939f733bc4b8f8a4ff8b94d88e

      SHA256

      9c28201975579600fa4083241c5248e92740c1908cf103816838bd30ec9ffe93

      SHA512

      9c6463e429bf378d1cce28ffd2c54b0ba4aae04b212a1d6aadb427cd6de5b3664b1841bf4f035c423e541ec3c7033bc0440a7793975887ef6f951f8012ca461a

    • memory/2600-5-0x00000000029A0000-0x00000000029B0000-memory.dmp

      Filesize

      64KB