Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Malware-1-master.zip
windows7-x64
1Malware-1-...30.exe
windows7-x64
10Malware-1-...40.exe
windows7-x64
10Malware-1-...32.exe
windows7-x64
10Malware-1-.../5.exe
windows7-x64
10Malware-1-...91.exe
windows7-x64
10Malware-1-...ey.exe
windows7-x64
7Malware-1-....0.zip
windows7-x64
1Malware-1-...ad.exe
windows7-x64
3Malware-1-...ti.exe
windows7-x64
5Malware-1-...an.bat
windows7-x64
7Malware-1-...an.exe
windows7-x64
3Malware-1-...ve.bat
windows7-x64
7Malware-1-...ve.exe
windows7-x64
6Malware-1-...ya.exe
windows7-x64
6Malware-1-...re.exe
windows7-x64
10Malware-1-...ry.exe
windows7-x64
10Malware-1-...ck.exe
windows7-x64
3Malware-1-...he.exe
windows7-x64
10Malware-1-...op.exe
windows7-x64
7Malware-1-...rb.exe
windows7-x64
10Malware-1-...ue.exe
windows7-x64
1Malware-1-...ng.exe
windows7-x64
6Malware-1-...kt.bat
windows7-x64
7Malware-1-...o3.exe
windows7-x64
10Malware-1-...ey.exe
windows7-x64
10Malware-1-.../m.exe
windows7-x64
Malware-1-...o3.exe
windows7-x64
9Malware-1-...dme.md
windows7-x64
3Malware-1-...er.zip
windows7-x64
1Malware-1-...ic.exe
windows7-x64
3Malware-1-...in.exe
windows7-x64
10Resubmissions
13/02/2025, 01:26
250213-btppra1pcz 1017/01/2025, 20:14
250117-yz7h3s1qfw 1017/01/2025, 20:12
250117-yy9l2sslcr 1017/01/2025, 17:25
250117-vy9p9sxpez 1017/01/2025, 17:21
250117-vw8eesyjfp 1017/01/2025, 14:16
250117-rk9ass1rhk 1017/01/2025, 14:12
250117-rhv1ds1lds 1016/01/2025, 12:52
250116-p4et7a1mez 10Analysis
-
max time kernel
136s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12/01/2025, 15:53
Behavioral task
behavioral1
Sample
Malware-1-master.zip
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Malware-1-master/2530.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
Malware-1-master/2887140.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Malware-1-master/32.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
Malware-1-master/5.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
Malware-1-master/96591.exe
Resource
win7-20240729-en
Behavioral task
behavioral7
Sample
Malware-1-master/Amadey.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Malware-1-master/Blocked-v1.0.zip
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
Malware-1-master/Download.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
Malware-1-master/Illuminati.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
Malware-1-master/MEMZ-Clean.bat
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Malware-1-master/MEMZ-Clean.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
Malware-1-master/MEMZ-Destructive.bat
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Malware-1-master/MEMZ-Destructive.exe
Resource
win7-20240729-en
Behavioral task
behavioral15
Sample
Malware-1-master/Petya.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
Malware-1-master/Software.exe
Resource
win7-20241023-en
Behavioral task
behavioral17
Sample
Malware-1-master/WannaCry.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Malware-1-master/Win32.EvilClusterFuck.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
Malware-1-master/apache.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Malware-1-master/butterflyondesktop.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
Malware-1-master/crb.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Malware-1-master/eternalblue.exe
Resource
win7-20241023-en
Behavioral task
behavioral23
Sample
Malware-1-master/fear.png.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
Malware-1-master/getr3kt.bat
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
Malware-1-master/iimo3.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
Malware-1-master/jey.exe
Resource
win7-20240708-en
Behavioral task
behavioral27
Sample
Malware-1-master/m.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Malware-1-master/mo3.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
Malware-1-master/readme.md
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Malware-1-master/wannakey-master.zip
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
Malware-1-master/wintonic.exe
Resource
win7-20240903-en
General
-
Target
Malware-1-master/youwin.exe
-
Size
379KB
-
MD5
c3f3773a596db65c6491b578db621c45
-
SHA1
ba5529fe2d6648ebfa93c17145f5570f448e1111
-
SHA256
dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c
-
SHA512
8d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061
-
SSDEEP
6144:dVH5X7dPd2cUnZF+ZXsFv+g11ZebOzWl4QFUTUPYeOEH9yyIKC0ywAHTWZ:dVH5X7dPd2zcO+8ebRJlQeOEH9ytfvw4
Malware Config
Extracted
trickbot
1000312
sun10
82.202.212.172:443
24.247.181.155:449
24.247.182.39:449
109.234.38.220:443
24.247.182.29:449
24.247.182.7:449
71.14.129.8:449
198.46.131.164:443
74.132.135.120:449
198.46.160.217:443
71.94.101.25:443
206.130.141.255:449
192.3.52.107:443
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
24.247.181.226:449
108.160.196.130:449
23.94.187.116:443
103.110.91.118:449
188.68.211.211:443
75.108.123.165:449
72.189.124.41:449
74.134.5.113:449
105.27.171.234:449
182.253.20.66:449
172.222.97.179:449
72.241.62.188:449
198.46.198.241:443
199.227.126.250:449
97.87.172.0:449
24.247.182.174:449
94.232.20.113:443
190.145.74.84:449
47.49.168.50:443
64.128.175.37:449
24.227.222.4:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Signatures
-
Trickbot family
-
Trickbot x86 loader 2 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
resource yara_rule behavioral32/memory/2184-5-0x00000000004B0000-0x00000000004F0000-memory.dmp trickbot_loader32 behavioral32/memory/2184-17-0x00000000004B0000-0x00000000004F0000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
pid Process 2664 youwin.exe 2416 youwin.exe -
Loads dropped DLL 2 IoCs
pid Process 2184 youwin.exe 2184 youwin.exe -
pid Process 2584 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2688 sc.exe 2572 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language youwin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language youwin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language youwin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2184 youwin.exe 2184 youwin.exe 2184 youwin.exe 2584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2584 powershell.exe Token: SeTcbPrivilege 2416 youwin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2800 2184 youwin.exe 30 PID 2184 wrote to memory of 2800 2184 youwin.exe 30 PID 2184 wrote to memory of 2800 2184 youwin.exe 30 PID 2184 wrote to memory of 2800 2184 youwin.exe 30 PID 2184 wrote to memory of 2832 2184 youwin.exe 31 PID 2184 wrote to memory of 2832 2184 youwin.exe 31 PID 2184 wrote to memory of 2832 2184 youwin.exe 31 PID 2184 wrote to memory of 2832 2184 youwin.exe 31 PID 2184 wrote to memory of 2736 2184 youwin.exe 33 PID 2184 wrote to memory of 2736 2184 youwin.exe 33 PID 2184 wrote to memory of 2736 2184 youwin.exe 33 PID 2184 wrote to memory of 2736 2184 youwin.exe 33 PID 2184 wrote to memory of 2664 2184 youwin.exe 36 PID 2184 wrote to memory of 2664 2184 youwin.exe 36 PID 2184 wrote to memory of 2664 2184 youwin.exe 36 PID 2184 wrote to memory of 2664 2184 youwin.exe 36 PID 2800 wrote to memory of 2688 2800 cmd.exe 37 PID 2800 wrote to memory of 2688 2800 cmd.exe 37 PID 2800 wrote to memory of 2688 2800 cmd.exe 37 PID 2800 wrote to memory of 2688 2800 cmd.exe 37 PID 2832 wrote to memory of 2572 2832 cmd.exe 38 PID 2832 wrote to memory of 2572 2832 cmd.exe 38 PID 2832 wrote to memory of 2572 2832 cmd.exe 38 PID 2832 wrote to memory of 2572 2832 cmd.exe 38 PID 2736 wrote to memory of 2584 2736 cmd.exe 39 PID 2736 wrote to memory of 2584 2736 cmd.exe 39 PID 2736 wrote to memory of 2584 2736 cmd.exe 39 PID 2736 wrote to memory of 2584 2736 cmd.exe 39 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 PID 2664 wrote to memory of 2372 2664 youwin.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2688
-
-
-
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
-
C:\Users\Admin\AppData\Roaming\NetSf\youwin.exeC:\Users\Admin\AppData\Roaming\NetSf\youwin.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2372
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6E3D76BD-8BFC-46A5-8DFF-6033B8A99B94} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2348
-
C:\Users\Admin\AppData\Roaming\NetSf\youwin.exeC:\Users\Admin\AppData\Roaming\NetSf\youwin.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1648
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\0f5007522459c86e95ffcc62f32308f1_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d
Filesize1KB
MD57efc0e6149fcccc7338ff11daba56082
SHA16571352af9bc3159da73139f8c572910a9b6cb9e
SHA25673e1e14862a1607b5342daaa156d6be1a5b015c46ea2edcf5ec50696c315f568
SHA5121f25ea7cd55acc974bfa0fb19410d07a912d982e302ec8490c6227587beb6c08102b101a0b01d46c5b487657c48fc57732b152a9db96208df94db826c76ccf49
-
Filesize
379KB
MD5c3f3773a596db65c6491b578db621c45
SHA1ba5529fe2d6648ebfa93c17145f5570f448e1111
SHA256dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c
SHA5128d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061