Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/01/2025, 16:53
Static task
static1
Behavioral task
behavioral1
Sample
4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
Resource
win7-20240903-en
General
-
Target
4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
-
Size
263KB
-
MD5
582fb65add01ce95d827b96006a3ff42
-
SHA1
d8931a791f8ef3d4015aec2bffa47808e28877b5
-
SHA256
4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01
-
SHA512
6e2194abfba98c6723040b9d4e801a8d4e75cc8449d408638fa80edfa11865cad9d01b768c21919ed863f3e7f97d258930ccbbf6acbc0e65c730ead79f5c7141
-
SSDEEP
6144:iz+92mhAMJ/cPl3i+eLba0WZj+ufaZef6IMLWKH1cLb1UyOr0Sg3:iK2mhAMJ/cPlQIFXfaZefAyb1FOB2
Malware Config
Signatures
-
Detects PlugX payload 18 IoCs
resource yara_rule behavioral1/memory/2332-27-0x00000000002E0000-0x0000000000310000-memory.dmp family_plugx behavioral1/memory/2816-46-0x0000000000410000-0x0000000000440000-memory.dmp family_plugx behavioral1/memory/2220-51-0x00000000002A0000-0x00000000002D0000-memory.dmp family_plugx behavioral1/memory/2836-57-0x00000000001B0000-0x00000000001E0000-memory.dmp family_plugx behavioral1/memory/2836-59-0x00000000001B0000-0x00000000001E0000-memory.dmp family_plugx behavioral1/memory/2836-76-0x00000000001B0000-0x00000000001E0000-memory.dmp family_plugx behavioral1/memory/2836-80-0x00000000001B0000-0x00000000001E0000-memory.dmp family_plugx behavioral1/memory/2332-75-0x00000000002E0000-0x0000000000310000-memory.dmp family_plugx behavioral1/memory/2836-73-0x00000000001B0000-0x00000000001E0000-memory.dmp family_plugx behavioral1/memory/2220-58-0x00000000002A0000-0x00000000002D0000-memory.dmp family_plugx behavioral1/memory/2836-74-0x00000000001B0000-0x00000000001E0000-memory.dmp family_plugx behavioral1/memory/2836-81-0x00000000001B0000-0x00000000001E0000-memory.dmp family_plugx behavioral1/memory/2836-85-0x00000000001B0000-0x00000000001E0000-memory.dmp family_plugx behavioral1/memory/2816-86-0x0000000000410000-0x0000000000440000-memory.dmp family_plugx behavioral1/memory/2836-88-0x00000000001B0000-0x00000000001E0000-memory.dmp family_plugx behavioral1/memory/2484-94-0x00000000002A0000-0x00000000002D0000-memory.dmp family_plugx behavioral1/memory/2484-97-0x00000000002A0000-0x00000000002D0000-memory.dmp family_plugx behavioral1/memory/2484-96-0x00000000002A0000-0x00000000002D0000-memory.dmp family_plugx -
Plugx family
-
Deletes itself 1 IoCs
pid Process 2332 Nv.exe -
Executes dropped EXE 3 IoCs
pid Process 2332 Nv.exe 2816 Nv.exe 2220 Nv.exe -
Loads dropped DLL 8 IoCs
pid Process 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 2332 Nv.exe 2816 Nv.exe 2220 Nv.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nv.exe -
Modifies data under HKEY_USERS 33 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BDD7137-BD17-4902-9D51-DA1826AE3301}\WpadDecisionTime = 40dfb102005edb01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BDD7137-BD17-4902-9D51-DA1826AE3301}\22-04-d3-71-69-2c svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-04-d3-71-69-2c svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BDD7137-BD17-4902-9D51-DA1826AE3301}\WpadNetworkName = "Network 3" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BDD7137-BD17-4902-9D51-DA1826AE3301}\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-04-d3-71-69-2c\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-04-d3-71-69-2c\WpadDecisionTime = 40dfb102005edb01 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0101000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BDD7137-BD17-4902-9D51-DA1826AE3301}\WpadDecision = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-04-d3-71-69-2c\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9BDD7137-BD17-4902-9D51-DA1826AE3301} svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42003500350042003500300044003900330045003800380032003000300033000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2332 Nv.exe 2836 svchost.exe 2836 svchost.exe 2836 svchost.exe 2836 svchost.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2836 svchost.exe 2836 svchost.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2836 svchost.exe 2836 svchost.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2836 svchost.exe 2836 svchost.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2836 svchost.exe 2836 svchost.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2484 msiexec.exe 2836 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2836 svchost.exe 2484 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2332 Nv.exe Token: SeTcbPrivilege 2332 Nv.exe Token: SeDebugPrivilege 2816 Nv.exe Token: SeTcbPrivilege 2816 Nv.exe Token: SeDebugPrivilege 2220 Nv.exe Token: SeTcbPrivilege 2220 Nv.exe Token: SeDebugPrivilege 2836 svchost.exe Token: SeTcbPrivilege 2836 svchost.exe Token: SeDebugPrivilege 2484 msiexec.exe Token: SeTcbPrivilege 2484 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2332 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 30 PID 3060 wrote to memory of 2332 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 30 PID 3060 wrote to memory of 2332 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 30 PID 3060 wrote to memory of 2332 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 30 PID 3060 wrote to memory of 2332 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 30 PID 3060 wrote to memory of 2332 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 30 PID 3060 wrote to memory of 2332 3060 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 30 PID 2220 wrote to memory of 2836 2220 Nv.exe 34 PID 2220 wrote to memory of 2836 2220 Nv.exe 34 PID 2220 wrote to memory of 2836 2220 Nv.exe 34 PID 2220 wrote to memory of 2836 2220 Nv.exe 34 PID 2220 wrote to memory of 2836 2220 Nv.exe 34 PID 2220 wrote to memory of 2836 2220 Nv.exe 34 PID 2220 wrote to memory of 2836 2220 Nv.exe 34 PID 2220 wrote to memory of 2836 2220 Nv.exe 34 PID 2220 wrote to memory of 2836 2220 Nv.exe 34 PID 2836 wrote to memory of 2484 2836 svchost.exe 36 PID 2836 wrote to memory of 2484 2836 svchost.exe 36 PID 2836 wrote to memory of 2484 2836 svchost.exe 36 PID 2836 wrote to memory of 2484 2836 svchost.exe 36 PID 2836 wrote to memory of 2484 2836 svchost.exe 36 PID 2836 wrote to memory of 2484 2836 svchost.exe 36 PID 2836 wrote to memory of 2484 2836 svchost.exe 36 PID 2836 wrote to memory of 2484 2836 svchost.exe 36 PID 2836 wrote to memory of 2484 2836 svchost.exe 36 PID 2836 wrote to memory of 2484 2836 svchost.exe 36 PID 2836 wrote to memory of 2484 2836 svchost.exe 36 PID 2836 wrote to memory of 2484 2836 svchost.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe"C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 100 23321⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 28363⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
622B
MD5be941744cf54a85bfed8a2d7f209b3ae
SHA16ba7f9c0bd14ac342833fdaf1a46064917a804b8
SHA256dabdd0235c01034cb386c9b79d97c6e083e88d97a7543d6b1caa9155ebb4c9ee
SHA51203a671c2633101c4f4c0b5c875a519bd5a16639328dc628582077a66cc1f35c33db99f78ee8d4721acc68ebe76043350a5b8367b676e65043bc2efa6e93baa99
-
Filesize
120KB
MD5e1e6d954482a108020c8e471bd0790e4
SHA1138def3945437e9d81902f00b1119795140ae8bf
SHA2569f5663bdcd5217b16597a53c763359c63d867202df572f23493d54a1c082c954
SHA5127573eba59791c978c45e5af1abd70c3a7d454e6fe1de9962f737679e8ddf5e9694d548bb8f0bbc4ffc236921a984f97bc1d11b0b0f239b25bb4253f88e2862e5
-
Filesize
41KB
MD592b5a067fc1866b933eade6ebd4e1564
SHA191c38bb2d1993dde1068550e42580c4d2993a5c1
SHA256632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6
SHA5123f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7