Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 07:39
Static task
static1
Behavioral task
behavioral1
Sample
629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe
Resource
win7-20220812-en
General
-
Target
629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe
-
Size
421KB
-
MD5
0a9ec679a384121c95204d4c259202ef
-
SHA1
44e703e7ddafe82e6bbdc119760a07f69471ca32
-
SHA256
629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc
-
SHA512
195e4c1e52a245839de83da5cce409049fb1e10c5af3763659a68de0b0e310932056cb0a8456e0bff2d8fb43e8c40fcf59084cc88387bce2e4276109388d0cc8
-
SSDEEP
12288:RaG4mtL6wfPAdTqrNH30dC0dM17/PmX2A:Rz4mtL6wH2QNX4C0dM1DmmA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\system32\\isass.exe" 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile isass.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" isass.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" isass.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" isass.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" isass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" isass.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
pid Process 984 isass.exe 268 isass.exe -
resource yara_rule behavioral1/memory/1792-63-0x0000000000400000-0x00000000004F7000-memory.dmp upx behavioral1/memory/1792-65-0x0000000000400000-0x00000000004F7000-memory.dmp upx behavioral1/memory/1792-67-0x0000000000400000-0x00000000004F7000-memory.dmp upx behavioral1/memory/1792-69-0x0000000000400000-0x00000000004F7000-memory.dmp upx behavioral1/memory/1792-71-0x0000000000400000-0x00000000004F7000-memory.dmp upx behavioral1/memory/1792-72-0x0000000000400000-0x00000000004F7000-memory.dmp upx behavioral1/memory/1792-73-0x0000000000400000-0x00000000004F7000-memory.dmp upx behavioral1/memory/1792-81-0x0000000000400000-0x00000000004F7000-memory.dmp upx behavioral1/memory/268-98-0x0000000000400000-0x00000000004F7000-memory.dmp upx behavioral1/memory/268-99-0x0000000000400000-0x00000000004F7000-memory.dmp upx behavioral1/memory/268-100-0x0000000000400000-0x00000000004F7000-memory.dmp upx behavioral1/memory/268-101-0x0000000000400000-0x00000000004F7000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate isass.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe -
Loads dropped DLL 2 IoCs
pid Process 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" isass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" isass.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\isass = "C:\\system32\\isass.exe" 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run isass.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 112 set thread context of 1792 112 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 27 PID 984 set thread context of 268 984 isass.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 isass.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString isass.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier isass.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier isass.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier isass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 268 isass.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeSecurityPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeTakeOwnershipPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeLoadDriverPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeSystemProfilePrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeSystemtimePrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeProfSingleProcessPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeIncBasePriorityPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeCreatePagefilePrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeBackupPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeRestorePrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeShutdownPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeDebugPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeSystemEnvironmentPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeChangeNotifyPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeRemoteShutdownPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeUndockPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeManageVolumePrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeImpersonatePrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeCreateGlobalPrivilege 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: 33 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: 34 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: 35 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe Token: SeIncreaseQuotaPrivilege 268 isass.exe Token: SeSecurityPrivilege 268 isass.exe Token: SeTakeOwnershipPrivilege 268 isass.exe Token: SeLoadDriverPrivilege 268 isass.exe Token: SeSystemProfilePrivilege 268 isass.exe Token: SeSystemtimePrivilege 268 isass.exe Token: SeProfSingleProcessPrivilege 268 isass.exe Token: SeIncBasePriorityPrivilege 268 isass.exe Token: SeCreatePagefilePrivilege 268 isass.exe Token: SeBackupPrivilege 268 isass.exe Token: SeRestorePrivilege 268 isass.exe Token: SeShutdownPrivilege 268 isass.exe Token: SeDebugPrivilege 268 isass.exe Token: SeSystemEnvironmentPrivilege 268 isass.exe Token: SeChangeNotifyPrivilege 268 isass.exe Token: SeRemoteShutdownPrivilege 268 isass.exe Token: SeUndockPrivilege 268 isass.exe Token: SeManageVolumePrivilege 268 isass.exe Token: SeImpersonatePrivilege 268 isass.exe Token: SeCreateGlobalPrivilege 268 isass.exe Token: 33 268 isass.exe Token: 34 268 isass.exe Token: 35 268 isass.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 112 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 112 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 984 isass.exe 984 isass.exe 268 isass.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 112 wrote to memory of 1792 112 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 27 PID 112 wrote to memory of 1792 112 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 27 PID 112 wrote to memory of 1792 112 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 27 PID 112 wrote to memory of 1792 112 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 27 PID 112 wrote to memory of 1792 112 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 27 PID 112 wrote to memory of 1792 112 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 27 PID 112 wrote to memory of 1792 112 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 27 PID 112 wrote to memory of 1792 112 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 27 PID 1792 wrote to memory of 984 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 28 PID 1792 wrote to memory of 984 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 28 PID 1792 wrote to memory of 984 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 28 PID 1792 wrote to memory of 984 1792 629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe 28 PID 984 wrote to memory of 268 984 isass.exe 29 PID 984 wrote to memory of 268 984 isass.exe 29 PID 984 wrote to memory of 268 984 isass.exe 29 PID 984 wrote to memory of 268 984 isass.exe 29 PID 984 wrote to memory of 268 984 isass.exe 29 PID 984 wrote to memory of 268 984 isass.exe 29 PID 984 wrote to memory of 268 984 isass.exe 29 PID 984 wrote to memory of 268 984 isass.exe 29 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion isass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern isass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" isass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe"C:\Users\Admin\AppData\Local\Temp\629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Local\Temp\629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exeC:\Users\Admin\AppData\Local\Temp\629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\system32\isass.exe"C:\system32\isass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984 -
C:\system32\isass.exeC:\system32\isass.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:268
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
421KB
MD50a9ec679a384121c95204d4c259202ef
SHA144e703e7ddafe82e6bbdc119760a07f69471ca32
SHA256629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc
SHA512195e4c1e52a245839de83da5cce409049fb1e10c5af3763659a68de0b0e310932056cb0a8456e0bff2d8fb43e8c40fcf59084cc88387bce2e4276109388d0cc8
-
Filesize
421KB
MD50a9ec679a384121c95204d4c259202ef
SHA144e703e7ddafe82e6bbdc119760a07f69471ca32
SHA256629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc
SHA512195e4c1e52a245839de83da5cce409049fb1e10c5af3763659a68de0b0e310932056cb0a8456e0bff2d8fb43e8c40fcf59084cc88387bce2e4276109388d0cc8
-
Filesize
421KB
MD50a9ec679a384121c95204d4c259202ef
SHA144e703e7ddafe82e6bbdc119760a07f69471ca32
SHA256629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc
SHA512195e4c1e52a245839de83da5cce409049fb1e10c5af3763659a68de0b0e310932056cb0a8456e0bff2d8fb43e8c40fcf59084cc88387bce2e4276109388d0cc8
-
Filesize
421KB
MD50a9ec679a384121c95204d4c259202ef
SHA144e703e7ddafe82e6bbdc119760a07f69471ca32
SHA256629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc
SHA512195e4c1e52a245839de83da5cce409049fb1e10c5af3763659a68de0b0e310932056cb0a8456e0bff2d8fb43e8c40fcf59084cc88387bce2e4276109388d0cc8
-
Filesize
421KB
MD50a9ec679a384121c95204d4c259202ef
SHA144e703e7ddafe82e6bbdc119760a07f69471ca32
SHA256629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc
SHA512195e4c1e52a245839de83da5cce409049fb1e10c5af3763659a68de0b0e310932056cb0a8456e0bff2d8fb43e8c40fcf59084cc88387bce2e4276109388d0cc8