Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20/10/2024, 23:19
Static task
static1
Behavioral task
behavioral1
Sample
705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe
Resource
win10v2004-20241007-en
General
-
Target
705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe
-
Size
93KB
-
MD5
995b8f8f204269a5ec58200abb269e4a
-
SHA1
0ac126df1e7c26da9ef23ab02adf7de27fa11b1f
-
SHA256
705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2
-
SHA512
73dfe7815eb43f07770f0beae1442d6b437acee6a8945c5ba0d84ab6a7db6ce223c7878fc275adf0cf99990c0bfbe3db9d431712f8fbe025005b0d2940930005
-
SSDEEP
1536:v7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf0xn:Dq6+ouCpk2mpcWJ0r+QNTBf0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\WindowsCache\\ir.exe" reg.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables Task Manager via registry modification
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\WindowsCache\\wall.png" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2656 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 2836 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2872 reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2600 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2836 taskkill.exe Token: SeShutdownPrivilege 2600 explorer.exe Token: SeShutdownPrivilege 2600 explorer.exe Token: SeShutdownPrivilege 2600 explorer.exe Token: SeShutdownPrivilege 2600 explorer.exe Token: SeShutdownPrivilege 2600 explorer.exe Token: SeShutdownPrivilege 2600 explorer.exe Token: SeShutdownPrivilege 2600 explorer.exe Token: SeShutdownPrivilege 2600 explorer.exe Token: SeShutdownPrivilege 2600 explorer.exe Token: SeShutdownPrivilege 2600 explorer.exe Token: SeShutdownPrivilege 2600 explorer.exe Token: SeShutdownPrivilege 2600 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe 2600 explorer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2748 2848 705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe 30 PID 2848 wrote to memory of 2748 2848 705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe 30 PID 2848 wrote to memory of 2748 2848 705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe 30 PID 2848 wrote to memory of 2748 2848 705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe 30 PID 2748 wrote to memory of 2872 2748 cmd.exe 32 PID 2748 wrote to memory of 2872 2748 cmd.exe 32 PID 2748 wrote to memory of 2872 2748 cmd.exe 32 PID 2748 wrote to memory of 2732 2748 cmd.exe 33 PID 2748 wrote to memory of 2732 2748 cmd.exe 33 PID 2748 wrote to memory of 2732 2748 cmd.exe 33 PID 2748 wrote to memory of 2484 2748 cmd.exe 34 PID 2748 wrote to memory of 2484 2748 cmd.exe 34 PID 2748 wrote to memory of 2484 2748 cmd.exe 34 PID 2748 wrote to memory of 2792 2748 cmd.exe 35 PID 2748 wrote to memory of 2792 2748 cmd.exe 35 PID 2748 wrote to memory of 2792 2748 cmd.exe 35 PID 2748 wrote to memory of 2836 2748 cmd.exe 36 PID 2748 wrote to memory of 2836 2748 cmd.exe 36 PID 2748 wrote to memory of 2836 2748 cmd.exe 36 PID 2748 wrote to memory of 2656 2748 cmd.exe 38 PID 2748 wrote to memory of 2656 2748 cmd.exe 38 PID 2748 wrote to memory of 2656 2748 cmd.exe 38 PID 2748 wrote to memory of 2600 2748 cmd.exe 39 PID 2748 wrote to memory of 2600 2748 cmd.exe 39 PID 2748 wrote to memory of 2600 2748 cmd.exe 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe"C:\Users\Admin\AppData\Local\Temp\705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\65C5.tmp\65C6.tmp\65C7.bat C:\Users\Admin\AppData\Local\Temp\705b55902ae2a401bcaa25bc6ab47726a752cb0621f8c70b84f4f265939bb4f2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2872
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" /v Wallpaper /d "C:\ProgramData\WindowsCache\wall.png" /f3⤵PID:2732
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /d "C:\ProgramData\WindowsCache\wall.png" /f3⤵
- Sets desktop wallpaper using registry
PID:2484
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe, C:\ProgramData\WindowsCache\ir.exe" /f3⤵
- Modifies WinLogon for persistence
PID:2792
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\system32\timeout.exetimeout /nobreak /t 13⤵
- Delays execution with timeout.exe
PID:2656
-
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ba97708785cba1962c39d0ae8e690258
SHA121caf881a1e5fe939f733bc4b8f8a4ff8b94d88e
SHA2569c28201975579600fa4083241c5248e92740c1908cf103816838bd30ec9ffe93
SHA5129c6463e429bf378d1cce28ffd2c54b0ba4aae04b212a1d6aadb427cd6de5b3664b1841bf4f035c423e541ec3c7033bc0440a7793975887ef6f951f8012ca461a