Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10The-MALWAR...ug.exe
windows7-x64
The-MALWAR...le.exe
windows7-x64
3The-MALWAR...an.bat
windows7-x64
1The-MALWAR...Lz.bat
windows7-x64
8The-MALWAR...ou.exe
windows7-x64
1The-MALWAR...MZ.exe
windows7-x64
7The-MALWAR...st.exe
windows7-x64
8The-MALWAR...er.exe
windows7-x64
8The-MALWAR...RC.exe
windows7-x64
8The-MALWAR...er.exe
windows7-x64
3The-MALWAR....a.exe
windows7-x64
The-MALWAR...rk.exe
windows7-x64
9The-MALWAR...an.exe
windows7-x64
The-MALWAR...98.exe
windows7-x64
1The-MALWAR...aj.exe
windows7-x64
7The-MALWAR...jB.exe
windows7-x64
7The-MALWAR...om.exe
windows7-x64
6The-MALWAR...1C.exe
windows7-x64
5The-MALWAR...90.exe
windows7-x64
9The-MALWAR...6a.exe
windows7-x64
9The-MALWAR...it.exe
windows7-x64
1The-MALWAR...m_.eml
windows7-x64
The-MALWAR...ng.exe
windows7-x64
7The-MALWAR....a.exe
windows7-x64
10The-MALWAR...1A.exe
windows7-x64
8The-MALWAR...as.exe
windows7-x64
6The-MALWAR...te.exe
windows7-x64
7The-MALWAR....a.exe
windows7-x64
3The-MALWAR...le.exe
windows7-x64
3The-MALWAR...us.exe
windows7-x64
10The-MALWAR...er.exe
windows7-x64
7The-MALWAR...ff.exe
windows7-x64
3Analysis
-
max time kernel
4s -
max time network
7s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/12/2024, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
The-MALWARE-Repo-master/Trojan/ColorBug.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
The-MALWARE-Repo-master/Trojan/DesktopPuzzle.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
The-MALWARE-Repo-master/Trojan/DudleyTrojan.bat
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
The-MALWARE-Repo-master/Trojan/L0Lz.bat
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
The-MALWARE-Repo-master/Trojan/LoveYou.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
The-MALWARE-Repo-master/Trojan/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
The-MALWARE-Repo-master/Trojan/Mist/MistInfected_newest.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
The-MALWARE-Repo-master/Trojan/Mist/MistInstaller.exe
Resource
win7-20241010-en
Behavioral task
behavioral9
Sample
The-MALWARE-Repo-master/Trojan/Mist/MistInstallerRC.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
The-MALWARE-Repo-master/Trojan/PCToaster.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
The-MALWARE-Repo-master/Trojan/Sevgi.a.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
The-MALWARE-Repo-master/Trojan/Spark/Spark.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
The-MALWARE-Repo-master/Virus/MadMan.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
The-MALWARE-Repo-master/Virus/WinNuke.98.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
The-MALWARE-Repo-master/Virus/Xpaj/xpaj.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
The-MALWARE-Repo-master/Virus/Xpaj/xpajB.exe
Resource
win7-20241023-en
Behavioral task
behavioral17
Sample
The-MALWARE-Repo-master/Worm/Bezilom.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
The-MALWARE-Repo-master/Worm/Blaster/607B60AD512C50B7D71DCCC057E85F1C.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
The-MALWARE-Repo-master/Worm/Blaster/8676210e6246948201aa014db471de90.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
The-MALWARE-Repo-master/Worm/Blaster/8a17f336f86e81f04d8e66fa23f9b36a.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
The-MALWARE-Repo-master/Worm/Blaster/DComExploit.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
The-MALWARE-Repo-master/Worm/Blaster/SANS_ Malware FAQ_ What is W32_Blaster worm_.eml
Resource
win7-20240708-en
Behavioral task
behavioral23
Sample
The-MALWARE-Repo-master/Worm/Bumerang.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
The-MALWARE-Repo-master/Worm/Fagot.a.exe
Resource
win7-20240729-en
Behavioral task
behavioral25
Sample
The-MALWARE-Repo-master/Worm/Heap41A.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
The-MALWARE-Repo-master/Worm/Mantas.exe
Resource
win7-20241010-en
Behavioral task
behavioral27
Sample
The-MALWARE-Repo-master/Worm/NadIote/Nadlote.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
The-MALWARE-Repo-master/Worm/Netres.a.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
The-MALWARE-Repo-master/Worm/Nople.exe
Resource
win7-20241023-en
Behavioral task
behavioral30
Sample
The-MALWARE-Repo-master/Worm/Vobfus/Vobus.exe
Resource
win7-20241010-en
Behavioral task
behavioral31
Sample
The-MALWARE-Repo-master/rogues/AdwereCleaner.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
The-MALWARE-Repo-master/rogues/SpySheriff.exe
Resource
win7-20240903-en
General
-
Target
The-MALWARE-Repo-master/Trojan/Spark/Spark.exe
-
Size
495KB
-
MD5
181ee63003e5c3ec8c378030286ed7a2
-
SHA1
6707f3a0906ab6d201edc5b6389f9e66e345f174
-
SHA256
55bfcb784904477ef62ef7e4994dee42f03d69bfec3591989513cccbba3fc8fe
-
SHA512
e9820f60b496d6631e054204c6fc5b525527d40a578faac1d5cdb116abcb4a35aacf4f4354ff092a2b455c5d9c2e0f29a761d737d9c9ad3d59d70b51d0583d92
-
SSDEEP
12288:ehny10sOqEl5yD4UmxYV1g1bT2kdSOSGL84Umxb:exZ5vYORMOJ/b
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3028 bcdedit.exe 2808 bcdedit.exe -
Enables test signing to bypass driver trust controls 1 TTPs 1 IoCs
Allows any signed driver to load without validation against a trusted certificate authority.
pid Process 2808 bcdedit.exe -
Loads dropped DLL 1 IoCs
pid Process 2316 Spark.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\File Cache\Spark.exe Spark.exe File opened for modification C:\Windows\File Cache\Spark.exe Spark.exe File created C:\Windows\File Cache\Initialised Spark.exe File created C:\Windows\File Cache\DLL.dll Spark.exe File created C:\Windows\File Cache\IFEO.exe Spark.exe File created C:\Windows\File Cache\Driver.sys Spark.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Spark.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2316 Spark.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2316 Spark.exe Token: SeShutdownPrivilege 2316 Spark.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2316 wrote to memory of 3028 2316 Spark.exe 31 PID 2316 wrote to memory of 3028 2316 Spark.exe 31 PID 2316 wrote to memory of 3028 2316 Spark.exe 31 PID 2316 wrote to memory of 3028 2316 Spark.exe 31 PID 2316 wrote to memory of 2808 2316 Spark.exe 33 PID 2316 wrote to memory of 2808 2316 Spark.exe 33 PID 2316 wrote to memory of 2808 2316 Spark.exe 33 PID 2316 wrote to memory of 2808 2316 Spark.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Trojan\Spark\Spark.exe"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Trojan\Spark\Spark.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" -set nointegritychecks on2⤵
- Modifies boot configuration data using bcdedit
PID:3028
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" -set testsigning on2⤵
- Modifies boot configuration data using bcdedit
- Enables test signing to bypass driver trust controls
PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5a61c26b360471c8258c7571037c4bca0
SHA15db105e0384f25b1ab165c10a9445e6b943cd0ff
SHA256e77316a1fd682e1af8af3ccd03c170f886b9ec8edf7013e1be6a6207cb5a6f16
SHA5123ef680d50ccfa4311d3d1bec1648c48cf8e8633353dea5e06f52339047ede36fd1655ce728541e769d9fcaa6ab8c2a66981aef708a9f4d05ae46ad26f9d6aef4