Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe
Resource
win7-20240903-en
General
-
Target
7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe
-
Size
278KB
-
MD5
063c7d5dccfda3e0b0ad858820e32060
-
SHA1
4aae1fc23e48804b98a778f1b2786ffa05e3a689
-
SHA256
7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026
-
SHA512
f04bff72be28e76e729a8cadfa726f45803847899f58b6dccdf1853b647520be9cc80b4ab6c409f6f0db589b8f78d2ccf7d6fc6ea639d7bfbe7e1f3ffc7f17ef
-
SSDEEP
6144:lgRqbGn6NH+qcEDlCC/R4eilAZ88K8snV7mv+Juo:l+qbGceGlD/yeLZV4A2Ju
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 8 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2524-37-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/1676-41-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2524-39-0x0000000000400000-0x0000000000468000-memory.dmp family_cycbot behavioral1/memory/1676-42-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2524-96-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2308-98-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2524-207-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot behavioral1/memory/2524-211-0x0000000000400000-0x000000000046B000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1468 7FC.tmp -
Loads dropped DLL 2 IoCs
pid Process 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BF8.exe = "C:\\Program Files (x86)\\LP\\43C3\\BF8.exe" 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2524-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2524-37-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1676-41-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1676-40-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2524-39-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/1676-42-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2524-96-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2308-98-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2524-207-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2524-211-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\43C3\BF8.exe 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe File opened for modification C:\Program Files (x86)\LP\43C3\BF8.exe 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe File opened for modification C:\Program Files (x86)\LP\43C3\7FC.tmp 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7FC.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1844 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2428 msiexec.exe Token: SeTakeOwnershipPrivilege 2428 msiexec.exe Token: SeSecurityPrivilege 2428 msiexec.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe Token: SeShutdownPrivilege 1844 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe 1844 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2524 wrote to memory of 1676 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 31 PID 2524 wrote to memory of 1676 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 31 PID 2524 wrote to memory of 1676 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 31 PID 2524 wrote to memory of 1676 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 31 PID 2524 wrote to memory of 2308 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 33 PID 2524 wrote to memory of 2308 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 33 PID 2524 wrote to memory of 2308 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 33 PID 2524 wrote to memory of 2308 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 33 PID 2524 wrote to memory of 1468 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 37 PID 2524 wrote to memory of 1468 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 37 PID 2524 wrote to memory of 1468 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 37 PID 2524 wrote to memory of 1468 2524 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe"C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exeC:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe startC:\Users\Admin\AppData\Roaming\30656\3CD43.exe%C:\Users\Admin\AppData\Roaming\306562⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exeC:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe startC:\Program Files (x86)\56BE0\lvvm.exe%C:\Program Files (x86)\56BE02⤵
- System Location Discovery: System Language Discovery
PID:2308
-
-
C:\Program Files (x86)\LP\43C3\7FC.tmp"C:\Program Files (x86)\LP\43C3\7FC.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1844
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5d577758ec1422cd8f7d7aa179b80acf2
SHA1f88c5e68a6a0a90d9359a4ff5f48675e84b723ed
SHA25613fc4074052ee15ced087afe6c335ee5e83a4a543ec0c5dc706b9d533dc37c54
SHA512b1e709f872a424502e518264bee78273e231f405c916ad42379fb5da14dfe0b8735ba8d7c7f449f299b2a11637f171df05f05fd0032698a6748f2ea8e99afa7b
-
Filesize
1KB
MD5f4d25e40a264eba99a7861ae9811fa21
SHA18d9292e8425e6f6c7f35e5a428d967b750d867bd
SHA256246674b02765f12f74492c68759b32f78a09e998a27112bf43e2729eae3d513b
SHA51205d6dbe099b368b21a10ebcfdcf0bfb040ff2e21624ee5bd833d4be0aa7705efc3e5a50bbbc1225e278519126837849720f2022c5729698a1e3622b8038f8c11
-
Filesize
600B
MD530a1b693e209ac5c3107ae3c9f456fa1
SHA124744cc3e373429d3624f732e2247d480228c5c3
SHA2563d550829abb63fe3653b226c56567059599f969de78ae0e14995629b08ca145c
SHA512d0a686f2cbb9a2bfde2f16c77bc841462ca1b01bc0c9a7ec9aa5597239fea877eab8f7ac67b463ef2adc6661d8e4709d53c1c02b13c49988e3ab7fc98c6f8862
-
Filesize
300B
MD5af46816e45876db18a7e853c3a64144f
SHA1f2f39bdfff9295466aa27c06d52b27b65dcb2aa5
SHA25696bee65fcca0a99e897d302bf511d31daddc029a646de369773d94920a3e9560
SHA51274eef2098d3344f4f554f300ba5b8fd8838048050aac83d5163f12a15e537f57ba83895c50098547358f47ed105287af7b2d3e03a6209f0f7c864b36206b90b2
-
Filesize
99KB
MD555ce0a78d2d9f3b77a707191cbb289cc
SHA1a45bfce1c2de0de0f3222f9e388a1d19a84c0c07
SHA2561cd3bf36ce50f03435f912f72092a561a9106f92f1a94b6028db3012960c5c2a
SHA51250727fd305ef36f6dc28a8a1a7f12df2e82e024a89be0d51e79e034c8de99fbf3a0c71b5578a0c1171296724e7c39121443d2568b62edc4ef5a75da626e7b319