Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 01:13
Static task
static1
Behavioral task
behavioral1
Sample
7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe
Resource
win10v2004-20220812-en
General
-
Target
7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe
-
Size
16KB
-
MD5
f440616f4e196c7a94c055f714960985
-
SHA1
42f7942c3c9454abc6d69b66c5633a17e65d3df5
-
SHA256
7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63
-
SHA512
bac004d0d3d723593ea871c627de0fe296fb21b96fa68cff311d781f2fe223c0d3bd55e24748130ce1613df0b6c2e1ecd1a15bf3af683660b5551aba8348f30b
-
SSDEEP
384:a4wUAVoSxMqXtrcsgFyeiQ4jK7TaYCSwx5E:nf0oOMqbgFyed8kTvCxy
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Deletes itself 1 IoCs
pid Process 1428 cmd.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dsound.dll.bak 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe File created C:\Windows\SysWOW64\dsound.dll 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\MSnoipds.dat 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe File opened for modification C:\Windows\Fonts\AeioFs.dat 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe File created C:\Windows\Fonts\kb11935041.dll 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe File opened for modification C:\Windows\Fonts\kb11935041.dll 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA74B10B-4DDF-4ee0-966F-7B232A45068E} 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA74B10B-4DDF-4ee0-966F-7B232A45068E}\InprocServer32\ = "C:\\Windows\\Fonts\\kb11935041.dll" 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA74B10B-4DDF-4ee0-966F-7B232A45068E}\InprocServer32 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 784 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe 784 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 784 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 784 wrote to memory of 1428 784 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe 26 PID 784 wrote to memory of 1428 784 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe 26 PID 784 wrote to memory of 1428 784 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe 26 PID 784 wrote to memory of 1428 784 7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe"C:\Users\Admin\AppData\Local\Temp\7dd2c583d5fcd3ec97cc03940f2b16d1b5558f2d52f82e375dec150e1061fb63.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\del6c8ff1.bat2⤵
- Deletes itself
PID:1428
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270B
MD5c85271bd390679dd0b7de9b6f82cdbe4
SHA1a4c5293a14caba51eed4a2a9cf15c8583c694338
SHA256aea03b4f6f2793961aeab20d8d51ba4da01b951463a15fa5f33cd5522c5593bb
SHA512b97c85d64728ac9fef4929feefe2d2982e0bb71a21276d55a6d040b69fcf7523aea5e3f55d230185b4defdb31286988439dc51c8f1ff1fb85f2a3ec86cc7792b