Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
88s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
15/01/2025, 22:57 UTC
General
-
Target
7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe
-
Size
278KB
-
MD5
063c7d5dccfda3e0b0ad858820e32060
-
SHA1
4aae1fc23e48804b98a778f1b2786ffa05e3a689
-
SHA256
7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026
-
SHA512
f04bff72be28e76e729a8cadfa726f45803847899f58b6dccdf1853b647520be9cc80b4ab6c409f6f0db589b8f78d2ccf7d6fc6ea639d7bfbe7e1f3ffc7f17ef
-
SSDEEP
6144:lgRqbGn6NH+qcEDlCC/R4eilAZ88K8snV7mv+Juo:l+qbGceGlD/yeLZV4A2Ju
Malware Config
Signatures
-
Cycbot
Cycbot is a backdoor and trojan written in C++..
-
Cycbot family
-
Detects Cycbot payload 8 IoCs
Cycbot is a backdoor and trojan written in C++.
-
Modifies security service 2 TTPs 1 IoCs
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe"C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exeC:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe startC:\Users\Admin\AppData\Roaming\30656\3CD43.exe%C:\Users\Admin\AppData\Roaming\306562⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exeC:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe startC:\Program Files (x86)\56BE0\lvvm.exe%C:\Program Files (x86)\56BE02⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\43C3\7FC.tmp"C:\Program Files (x86)\LP\43C3\7FC.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
-
DNScrl.microsoft.comRemote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.19.117.22a1363.dscg.akamai.netIN A2.19.117.18 -
GEThttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlRemote address:2.19.117.22:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1036
Content-Type: application/octet-stream
Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
ETag: 0x8DD1A40E476D877
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 34cf8d72-601e-004e-4135-4c7962000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 15 Jan 2025 22:57:54 GMT
Connection: keep-alive
-
DNSwww.microsoft.comRemote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A2.22.5.218
-
GEThttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlRemote address:2.22.5.218:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: HqJzZuA065RHozzmOcAUiQ==
Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
ETag: 0x8DD34DBD43549F4
x-ms-request-id: 4af9e31c-501e-006a-54cb-668fc2000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 15 Jan 2025 22:57:54 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV3abb56ab.0
ms-cv-esi: CASMicrosoftCV3abb56ab.0
X-RTag: RT
-
DNScsc3-2004-crl.verisign.comRemote address:8.8.8.8:53Requestcsc3-2004-crl.verisign.comIN AResponse
-
DNSclassicbattletech.comRemote address:8.8.8.8:53Requestclassicbattletech.comIN AResponseclassicbattletech.comIN A72.52.178.23
-
DNSe7muqwdx.renamesys5.comRemote address:8.8.8.8:53Requeste7muqwdx.renamesys5.comIN AResponse
-
GEThttp://classicbattletech.com/lhous6.gif?pr=gHZutDyMv5rJej7ia9nrmsl6giWz%2BJZbVyA%3DRemote address:72.52.178.23:80RequestGET /lhous6.gif?pr=gHZutDyMv5rJej7ia9nrmsl6giWz%2BJZbVyA%3D HTTP/1.0
Connection: close
Host: classicbattletech.com
Accept: */*
User-Agent: chrome/9.0
-
DNSpsw.renamesys5.comRemote address:8.8.8.8:53Requestpsw.renamesys5.comIN AResponse
-
DNSx6y.regfeedbackaccess.comRemote address:8.8.8.8:53Requestx6y.regfeedbackaccess.comIN AResponse
-
DNS88kre4xk.limfoklubs.comRemote address:8.8.8.8:53Request88kre4xk.limfoklubs.comIN AResponse
-
DNSTRANSERSDATAFORME.COMRemote address:8.8.8.8:53RequestTRANSERSDATAFORME.COMIN AResponse
-
DNSwww.google.comRemote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.187.196
-
GEThttp://www.google.com/Remote address:142.250.187.196:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLD7oLwGIjDdfLGgIi4OVUw8HSN-5eO4VB4y8VValrVvgI5aOACiv0E0TNrDGfO7v3sBUmJtV0IyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwIsPugvAYQyZy_twMSBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-DYmkvJSAxlBQLfRUaWMH2w' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 15 Jan 2025 22:58:56 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-X1xRpOi9PSTy2TJ-q87H2rduaiB-gCeReQ4bIY6K8X3U-b24jKqg; expires=Mon, 14-Jul-2025 22:58:56 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
GEThttp://www.google.com/Remote address:142.250.187.196:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLH7oLwGIjDeNb9IiMkZGomSJb1C98qIluzp6hqjcQf1gAaQecS8DTjryjhBjUu_A3XDwOo5ux4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
x-hallmonitor-challenge: CgwIsfugvAYQqurO1gESBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-828mdAvLpEGrRR3S6QIZnA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Wed, 15 Jan 2025 22:58:57 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-X7fi4bVM9DmO7oIeF4-vIhpG8-aeCAbZdGwrFz9Pb-A4f-UU1du-w; expires=Mon, 14-Jul-2025 22:58:57 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLH7oLwGIjDeNb9IiMkZGomSJb1C98qIluzp6hqjcQf1gAaQecS8DTjryjhBjUu_A3XDwOo5ux4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMRemote address:142.250.187.196:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGLH7oLwGIjDeNb9IiMkZGomSJb1C98qIluzp6hqjcQf1gAaQecS8DTjryjhBjUu_A3XDwOo5ux4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Date: Wed, 15 Jan 2025 22:58:57 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close
-
2.19.117.22:80http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlhttp
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200 -
2.22.5.218:80http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlhttp
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200 -
72.52.178.23:80http://classicbattletech.com/lhous6.gif?pr=gHZutDyMv5rJej7ia9nrmsl6giWz%2BJZbVyA%3Dhttp
HTTP Request
GET http://classicbattletech.com/lhous6.gif?pr=gHZutDyMv5rJej7ia9nrmsl6giWz%2BJZbVyA%3D -
127.0.0.1:58404 -
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
127.0.0.1:58404
-
142.250.187.196:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
302 -
142.250.187.196:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
302 -
142.250.187.196:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLH7oLwGIjDeNb9IiMkZGomSJb1C98qIluzp6hqjcQf1gAaQecS8DTjryjhBjUu_A3XDwOo5ux4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttp
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGLH7oLwGIjDeNb9IiMkZGomSJb1C98qIluzp6hqjcQf1gAaQecS8DTjryjhBjUu_A3XDwOo5ux4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
127.0.0.1:58404
-
127.0.0.1:58404
-
8.8.8.8:53crl.microsoft.comdns
DNS Request
crl.microsoft.com
DNS Response
2.19.117.222.19.117.18
-
8.8.8.8:53www.microsoft.comdns
DNS Request
www.microsoft.com
DNS Response
2.22.5.218
-
8.8.8.8:53csc3-2004-crl.verisign.comdns
DNS Request
csc3-2004-crl.verisign.com
-
8.8.8.8:53classicbattletech.comdns
DNS Request
classicbattletech.com
DNS Response
72.52.178.23
-
8.8.8.8:53e7muqwdx.renamesys5.comdns
DNS Request
e7muqwdx.renamesys5.com
-
8.8.8.8:53psw.renamesys5.comdns
DNS Request
psw.renamesys5.com
-
8.8.8.8:53x6y.regfeedbackaccess.comdns
DNS Request
x6y.regfeedbackaccess.com
-
8.8.8.8:5388kre4xk.limfoklubs.comdns
DNS Request
88kre4xk.limfoklubs.com
-
8.8.8.8:53TRANSERSDATAFORME.COMdns
DNS Request
TRANSERSDATAFORME.COM
-
8.8.8.8:53www.google.comdns
DNS Request
www.google.com
DNS Response
142.250.187.196
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5d577758ec1422cd8f7d7aa179b80acf2
SHA1f88c5e68a6a0a90d9359a4ff5f48675e84b723ed
SHA25613fc4074052ee15ced087afe6c335ee5e83a4a543ec0c5dc706b9d533dc37c54
SHA512b1e709f872a424502e518264bee78273e231f405c916ad42379fb5da14dfe0b8735ba8d7c7f449f299b2a11637f171df05f05fd0032698a6748f2ea8e99afa7b
-
Filesize
1KB
MD5f4d25e40a264eba99a7861ae9811fa21
SHA18d9292e8425e6f6c7f35e5a428d967b750d867bd
SHA256246674b02765f12f74492c68759b32f78a09e998a27112bf43e2729eae3d513b
SHA51205d6dbe099b368b21a10ebcfdcf0bfb040ff2e21624ee5bd833d4be0aa7705efc3e5a50bbbc1225e278519126837849720f2022c5729698a1e3622b8038f8c11
-
Filesize
600B
MD530a1b693e209ac5c3107ae3c9f456fa1
SHA124744cc3e373429d3624f732e2247d480228c5c3
SHA2563d550829abb63fe3653b226c56567059599f969de78ae0e14995629b08ca145c
SHA512d0a686f2cbb9a2bfde2f16c77bc841462ca1b01bc0c9a7ec9aa5597239fea877eab8f7ac67b463ef2adc6661d8e4709d53c1c02b13c49988e3ab7fc98c6f8862
-
Filesize
300B
MD5af46816e45876db18a7e853c3a64144f
SHA1f2f39bdfff9295466aa27c06d52b27b65dcb2aa5
SHA25696bee65fcca0a99e897d302bf511d31daddc029a646de369773d94920a3e9560
SHA51274eef2098d3344f4f554f300ba5b8fd8838048050aac83d5163f12a15e537f57ba83895c50098547358f47ed105287af7b2d3e03a6209f0f7c864b36206b90b2
-
Filesize
99KB
MD555ce0a78d2d9f3b77a707191cbb289cc
SHA1a45bfce1c2de0de0f3222f9e388a1d19a84c0c07
SHA2561cd3bf36ce50f03435f912f72092a561a9106f92f1a94b6028db3012960c5c2a
SHA51250727fd305ef36f6dc28a8a1a7f12df2e82e024a89be0d51e79e034c8de99fbf3a0c71b5578a0c1171296724e7c39121443d2568b62edc4ef5a75da626e7b319
-
Filesize
112KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
416KB
-
Filesize
428KB
-
Filesize
416KB
-
Filesize
428KB