Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/10/2022, 19:31
Static task
static1
Behavioral task
behavioral1
Sample
42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe
Resource
win10v2004-20220812-en
General
-
Target
42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe
-
Size
208KB
-
MD5
0422556b674590940816f1f31b4c590c
-
SHA1
07b9b67e4bdbf7de55bfc9374a863ec44ea93373
-
SHA256
42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75
-
SHA512
04f7f20a6399f6aeb5266a7e4626869bb035460d61fd87c7b4f5ad33ba1d4142a180375368b77ae078aad3456bf99b2e301e4c9d4ecafdf7dbee7bf0b3ec70a9
-
SSDEEP
1536:Vfuxw10lxJM5y8w5OZRVmgyDl+cWaxJcveQZNTRSb3EBAR1AlQPsxjheYhpXN5yh:f0OtF2Qo7VsJgisxlYegEX0ZZbW
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1740 svhust.exe 1892 svhust.exe 1764 svhust.exe -
resource yara_rule behavioral1/memory/1880-59-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1880-61-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1880-62-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1880-65-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1880-66-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1880-69-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1764-94-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/1764-98-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/1764-99-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/1764-106-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/1764-107-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/1880-108-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1892-109-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1764-110-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/1892-113-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1764-114-0x0000000000400000-0x0000000000479000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhust = "C:\\Users\\Admin\\AppData\\Roaming\\svhust\\svhust.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svhust.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VideoDriver = "C:\\Windows\\system32\\winldr.exe" svhust.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\winldr.exe svhust.exe File opened for modification C:\Windows\SysWOW64\winldr.exe svhust.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 736 set thread context of 1880 736 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 27 PID 1740 set thread context of 1892 1740 svhust.exe 33 PID 1740 set thread context of 1764 1740 svhust.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe Token: SeDebugPrivilege 1892 svhust.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1764 svhust.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 736 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 1740 svhust.exe 1892 svhust.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 736 wrote to memory of 1880 736 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 27 PID 736 wrote to memory of 1880 736 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 27 PID 736 wrote to memory of 1880 736 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 27 PID 736 wrote to memory of 1880 736 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 27 PID 736 wrote to memory of 1880 736 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 27 PID 736 wrote to memory of 1880 736 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 27 PID 736 wrote to memory of 1880 736 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 27 PID 736 wrote to memory of 1880 736 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 27 PID 1880 wrote to memory of 1072 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 28 PID 1880 wrote to memory of 1072 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 28 PID 1880 wrote to memory of 1072 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 28 PID 1880 wrote to memory of 1072 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 28 PID 1072 wrote to memory of 2028 1072 cmd.exe 30 PID 1072 wrote to memory of 2028 1072 cmd.exe 30 PID 1072 wrote to memory of 2028 1072 cmd.exe 30 PID 1072 wrote to memory of 2028 1072 cmd.exe 30 PID 1880 wrote to memory of 1740 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 31 PID 1880 wrote to memory of 1740 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 31 PID 1880 wrote to memory of 1740 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 31 PID 1880 wrote to memory of 1740 1880 42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe 31 PID 1740 wrote to memory of 1892 1740 svhust.exe 33 PID 1740 wrote to memory of 1892 1740 svhust.exe 33 PID 1740 wrote to memory of 1892 1740 svhust.exe 33 PID 1740 wrote to memory of 1892 1740 svhust.exe 33 PID 1740 wrote to memory of 1892 1740 svhust.exe 33 PID 1740 wrote to memory of 1892 1740 svhust.exe 33 PID 1740 wrote to memory of 1892 1740 svhust.exe 33 PID 1740 wrote to memory of 1892 1740 svhust.exe 33 PID 1740 wrote to memory of 1764 1740 svhust.exe 32 PID 1740 wrote to memory of 1764 1740 svhust.exe 32 PID 1740 wrote to memory of 1764 1740 svhust.exe 32 PID 1740 wrote to memory of 1764 1740 svhust.exe 32 PID 1740 wrote to memory of 1764 1740 svhust.exe 32 PID 1740 wrote to memory of 1764 1740 svhust.exe 32 PID 1740 wrote to memory of 1764 1740 svhust.exe 32 PID 1740 wrote to memory of 1764 1740 svhust.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe"C:\Users\Admin\AppData\Local\Temp\42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe"C:\Users\Admin\AppData\Local\Temp\42463183ee6cb54f3892fe29c7dd44cf76748c3609c474f442ccd4b4aa610c75.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YOPNV.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svhust" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svhust\svhust.exe" /f4⤵
- Adds Run key to start application
PID:2028
-
-
-
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
PID:1764
-
-
C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"C:\Users\Admin\AppData\Roaming\svhust\svhust.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1892
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141B
MD5e83a2e0b3c1e03dfb96ffd9924117a45
SHA127a3e4ba115ba1bad0bf094f5b97e768d1ece33e
SHA256655407d94fff9e707712a588d97a2017cc1c9d690a67c688ed0abcb79e452b13
SHA5125f61686a3b7db3544d83a4f2ce1a75868c7dc266709f72a34eafecc3a26696a985b1912a559aed8f5a2cacbfe26be9beae2374340d1801bb18473de785557480
-
Filesize
208KB
MD5efe1fbead822e7726e907da6ca08d336
SHA10b17683f6a6eea7947920a2f4706b99a275b005d
SHA2566f1a8cc34dfb8b41ec8d398ae556ae35a92fb80f5c4055df14cfa51a7cb70b9c
SHA512203c86aeedac947650a1f3e81dc40a3d64d4377c944e8f6f9821640afdf04aca521c574366c05ccd9ea8beca7facafc14f86b6444aabbd42a5c06bf985754438
-
Filesize
208KB
MD5efe1fbead822e7726e907da6ca08d336
SHA10b17683f6a6eea7947920a2f4706b99a275b005d
SHA2566f1a8cc34dfb8b41ec8d398ae556ae35a92fb80f5c4055df14cfa51a7cb70b9c
SHA512203c86aeedac947650a1f3e81dc40a3d64d4377c944e8f6f9821640afdf04aca521c574366c05ccd9ea8beca7facafc14f86b6444aabbd42a5c06bf985754438
-
Filesize
208KB
MD5efe1fbead822e7726e907da6ca08d336
SHA10b17683f6a6eea7947920a2f4706b99a275b005d
SHA2566f1a8cc34dfb8b41ec8d398ae556ae35a92fb80f5c4055df14cfa51a7cb70b9c
SHA512203c86aeedac947650a1f3e81dc40a3d64d4377c944e8f6f9821640afdf04aca521c574366c05ccd9ea8beca7facafc14f86b6444aabbd42a5c06bf985754438
-
Filesize
208KB
MD5efe1fbead822e7726e907da6ca08d336
SHA10b17683f6a6eea7947920a2f4706b99a275b005d
SHA2566f1a8cc34dfb8b41ec8d398ae556ae35a92fb80f5c4055df14cfa51a7cb70b9c
SHA512203c86aeedac947650a1f3e81dc40a3d64d4377c944e8f6f9821640afdf04aca521c574366c05ccd9ea8beca7facafc14f86b6444aabbd42a5c06bf985754438
-
Filesize
208KB
MD5efe1fbead822e7726e907da6ca08d336
SHA10b17683f6a6eea7947920a2f4706b99a275b005d
SHA2566f1a8cc34dfb8b41ec8d398ae556ae35a92fb80f5c4055df14cfa51a7cb70b9c
SHA512203c86aeedac947650a1f3e81dc40a3d64d4377c944e8f6f9821640afdf04aca521c574366c05ccd9ea8beca7facafc14f86b6444aabbd42a5c06bf985754438
-
Filesize
208KB
MD5efe1fbead822e7726e907da6ca08d336
SHA10b17683f6a6eea7947920a2f4706b99a275b005d
SHA2566f1a8cc34dfb8b41ec8d398ae556ae35a92fb80f5c4055df14cfa51a7cb70b9c
SHA512203c86aeedac947650a1f3e81dc40a3d64d4377c944e8f6f9821640afdf04aca521c574366c05ccd9ea8beca7facafc14f86b6444aabbd42a5c06bf985754438
-
Filesize
208KB
MD5efe1fbead822e7726e907da6ca08d336
SHA10b17683f6a6eea7947920a2f4706b99a275b005d
SHA2566f1a8cc34dfb8b41ec8d398ae556ae35a92fb80f5c4055df14cfa51a7cb70b9c
SHA512203c86aeedac947650a1f3e81dc40a3d64d4377c944e8f6f9821640afdf04aca521c574366c05ccd9ea8beca7facafc14f86b6444aabbd42a5c06bf985754438
-
Filesize
208KB
MD5efe1fbead822e7726e907da6ca08d336
SHA10b17683f6a6eea7947920a2f4706b99a275b005d
SHA2566f1a8cc34dfb8b41ec8d398ae556ae35a92fb80f5c4055df14cfa51a7cb70b9c
SHA512203c86aeedac947650a1f3e81dc40a3d64d4377c944e8f6f9821640afdf04aca521c574366c05ccd9ea8beca7facafc14f86b6444aabbd42a5c06bf985754438