Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
23/03/2025, 00:07
250323-aejphstxdx 823/03/2025, 00:06
250323-adrzhaxqz8 823/03/2025, 00:05
250323-adkkestxbw 323/03/2025, 00:02
250323-abxrzaxqw9 1020/03/2025, 23:27
250320-3fd5mstrw6 1001/03/2025, 19:51
250301-ykw4sszqy9 801/03/2025, 19:50
250301-yj8ffazqx8 801/03/2025, 19:47
250301-yh1dfazxev 801/03/2025, 19:45
250301-yghr1azp15 1026/02/2025, 02:07
250226-ckdrka1m15 10Analysis
-
max time kernel
5s -
max time network
4s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/03/2025, 00:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win7-20240903-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9749A561-077A-11F0-94A5-465533733A50} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2128 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2128 iexplore.exe 2128 iexplore.exe 2596 IEXPLORE.EXE 2596 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2128 2980 explorer.exe 31 PID 2980 wrote to memory of 2128 2980 explorer.exe 31 PID 2980 wrote to memory of 2128 2980 explorer.exe 31 PID 2128 wrote to memory of 2596 2128 iexplore.exe 32 PID 2128 wrote to memory of 2596 2128 iexplore.exe 32 PID 2128 wrote to memory of 2596 2128 iexplore.exe 32 PID 2128 wrote to memory of 2596 2128 iexplore.exe 32
Processes
-
C:\Windows\explorer.exeexplorer https://github.com/Da2dalus/The-MALWARE-Repo1⤵PID:2716
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Da2dalus/The-MALWARE-Repo2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize2KB
MD567cdf23e74ba35f10f9ee7b14957191c
SHA135aecbc88b18ce121c7d9769b1494a2938504298
SHA25675976d208476ffc06f53a3dc530993e7ca6d9cb43997896a2c890d257e94d77a
SHA512c618d5e3d2fab34396ae796da39f3e334a5b12a0d71f678b40a26693987d954ba6458e894463197c49f68c4ee45839585e3ca7ebfb5908d89e16764fb444d765
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD574caa5d616250e674ae7b216846e913b
SHA17fdd545fb1bd84f22a003468ad78de94701e8d37
SHA2568f2a2685ee3c07f0301bdd416b32d707b027295a72394f24da6958f5693d6c00
SHA5121cf179347568e3bb49712d93c33dc41c7b127e16fc5e6b458900b4c813a9df764e12b13bfb0e0e0e6725b9a9ecf6dacd46b0953c80382d55b9159069c12423f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize488B
MD54797dbf3eec0ce2aa43925110854ea7b
SHA12472a9c23087ee82e92be892a55503bedc56f5ed
SHA256cb3d5fa255150c61ae5a8e4909eaa0188095e58b809accb020f73cc64a7d7df5
SHA512f35fb18b3abfa38fe6da9d7bc767164641246d652ef6388dcb60af9761657e14127b8bb4da9cec6f73d873b3672b3d72184aba77b9cb24b7a0b8813b75c0134d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59e9a2d6a0ffe7e7a0cc662bbbb8de2a4
SHA17ec463a09336afa3217dd8c4fb30bfadcb12f039
SHA2564cc1b7e00c1776b25eea001d029239a761b18bdbc4b4718fa07a49740bfbccc8
SHA512534b0af646bdf73455973386dcb8bb65daf96ac581393878bdb57312b8a43b82ad534638c601bda0e9e81d6f71ccb003e66a6875cd4402a5182b6e41b98bf9b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5182ae4d06a968cf3209e5b056373d011
SHA1b5bdb2c2b7aed552b20e561b0f06a994088ab7b3
SHA25614091bde4c18495ac195cbf53c777be293288d7a9aa72b25bf560705aea80c2a
SHA512d1fb277383d84918704b616a9e44582b6549eda15420e22ec3422b2da77505e3924f16e355174adacc145f25caea0d4b6b14ffd334f392a791626085dfe5f262
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5569b2f185bf598d3fac113af9270c445
SHA127d352afef978a89d2d1c95f474755d0b760ece5
SHA256067aabf86a305e8bc6d5c9c7ed8307b835f191dca2cfc38627a09c9c9cba3700
SHA512892fda101ecb3ce2725974641b4bc27ea9f04eb9a0d408d40a812180cc073cf5a24f7f93a7ad99b80c30c0a1065c8d892c796ef9699dc2492db5030607f4c031
-
Filesize
1KB
MD59ddd23cb07a3d9c949f9285888085b20
SHA16abdd1216c847d53331fc0f15705b5183c9c1da2
SHA2560eaa912932071bdbc1614704f502b7ffc228d923b7f94fd75ec0c429baaa29ac
SHA5129a1af99ade0cbe9d8b241f2805ea4fa194b26a65e5680dfbc29432db19cc90e3254c91bb6e39df2c2f0b83cf8c3b046151f4fe17c48493e1c9ba67e7afda1677
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\favicon[1].png
Filesize958B
MD5346e09471362f2907510a31812129cd2
SHA1323b99430dd424604ae57a19a91f25376e209759
SHA25674cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08
SHA512a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc