Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 21:57

General

  • Target

    3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe

  • Size

    767KB

  • MD5

    27cd44d454364f2d822eaace466fed38

  • SHA1

    3019af2f3dd3d2de1c101be8d92c27fd25c40e5b

  • SHA256

    3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d

  • SHA512

    2ff8c1e56e3dc0f2e576af34b0ebb1041563b5f12d19a38c112f107090d6051deed5d35f42189858cae4d5140cf062e99c9ce3defc0997a9ff71afff140446d2

  • SSDEEP

    12288:uFUNDat1JSgyPzsB7kmIFZUUvHqnuFT+wUV5/ZhReTr6dARuYKpQZ8gZ5NOij:uFOa/0BG9gGUvH+uwwsqtOij

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 16 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 20 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
    "C:\Users\Admin\AppData\Local\Temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2500
    • \??\c:\users\admin\appdata\local\temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe 
      c:\users\admin\appdata\local\temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe 
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Users\Admin\AppData\Local\Temp\ckz_BHIT\Activator.exe
        "C:\Users\Admin\AppData\Local\Temp\ckz_BHIT\Activator.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2224
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2528
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2320
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2856
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2764
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3032
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:59 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:3020
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:00 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2120
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:01 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2588
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      130KB

      MD5

      dad15a5174e93c68bf5c70f52e71ec2a

      SHA1

      85fd8c128690cfdb020a5fbe0a68ae09eaf2f0eb

      SHA256

      58bf5ce8ac5ba0eab06b94ae8193b0ed684373ec69fb13f8e7799dd6211a0fbe

      SHA512

      9a4a10eaa3028a5d6fb29017b7d3cc8f535f768323ec1d47bd6458b59b12695e95f07dc907620307f24df4b600e3f1d74d0f735425fffcaee52b38cc1c013ac8

    • C:\Windows\Resources\Themes\icsys.icn.exe

      Filesize

      121KB

      MD5

      c8481b583be0bdd69350f9e5a22eb22a

      SHA1

      47295aedb88e000cfb3048be15b7194fb69c8bfd

      SHA256

      6a502ed8a7760463483209d536ab740d0beff9b6c3c57dc0a62cb7be4ab8eaf9

      SHA512

      8bfcf2f8c01f12fed0f4848f05ae8cf71b68520fd5afe34c0626866f6b28c0c56069be0fb616df84b614ca48082e2cc58871933b64163da355479ec942ab7dfe

    • \Users\Admin\AppData\Local\Temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe 

      Filesize

      646KB

      MD5

      5dcf8b61cb54552f12ef76a8e9051049

      SHA1

      c4ad616c976e77d3ab7debc86983442d30fca158

      SHA256

      be77b0bcd4a4ca799b9dd768e931a747be97f9770edc87b5dd6bd5c0558a5af5

      SHA512

      4555a0a937f7f40fdc03a9d0ed680065ef10849d87ec64d4b2fc5061ff8d7745031502e702fc5a396090658a925f7e13ff775cf7c337ec61b2a635cf4c523f03

    • \Users\Admin\AppData\Local\Temp\ckz_BHIT\Activator.exe

      Filesize

      262KB

      MD5

      4b54c2c5ac3d82da68c2acf328dd1d24

      SHA1

      632ffbdf3a0257b83b009508c69a5ee4fe4b9781

      SHA256

      e35748b6ecd496f4c2aa26db894e1e7b61fbe44501aa2ee5d44103f87bf68420

      SHA512

      2ffc781347c468b11b18c91fcd49b48998f589bbb0add0939b448ba1dd5010fa24b299218dd09f5f00ae68a29782c9cbefa17a543453c8bf3272b233021e9e37

    • \Windows\Resources\spoolsv.exe

      Filesize

      130KB

      MD5

      8e4f0c7657ef30334e9b7e6eac44cb83

      SHA1

      aeeb32b9dd83fff078430a9e871ef3a5126245cd

      SHA256

      520e566b1c48586bab5997337b2223ecf54c23ed40c410ace757abaa2072647d

      SHA512

      86eb1c95491452560df324979cb28d13568c2581cade6766ead1db06e344c77691c163daf1af33c85069a1f7707db689e0dec0cf862e50ece14e88099d7b9739

    • \Windows\Resources\svchost.exe

      Filesize

      130KB

      MD5

      02e2c7983bdadc37b544f1f9dfc53660

      SHA1

      5cfce25bf5ccea2620d51cda3a048dcfed0b4ad3

      SHA256

      eb3ca535b7ef302c340e6a8476a0e4bb77e6d0996976112adb9f7a9c94e876f7

      SHA512

      f2cb4f37f52bbfb62cc57cda311fdb326ab0cb7e9bf4f6ae4d772f849ecb935f960f8b134a99e30b984751a52fd3d6ee9a12667221dac4bbdabd394a2483037a

    • memory/2224-79-0x0000000000C30000-0x0000000000C78000-memory.dmp

      Filesize

      288KB

    • memory/2224-90-0x0000000000460000-0x0000000000484000-memory.dmp

      Filesize

      144KB

    • memory/2500-0-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB