Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
05/10/2022, 05:27
Static task
static1
Behavioral task
behavioral1
Sample
39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b.exe
Resource
win10-20220812-en
General
-
Target
39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b.exe
-
Size
731KB
-
MD5
fabcaa2c45199a48a6a1675791d8c15a
-
SHA1
ae1421e50557e023e45610ca918dd9c2848598c5
-
SHA256
39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b
-
SHA512
e70750f39e722b31fa1c266ff9371c8ca24bc8712c153c44d35a39bccddce09d88cf72e2210eba5de1e2051d3f3bd51b0d42715ddaa99cc9ed9a5d192f327092
-
SSDEEP
768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 5088 dllhost.exe -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe" dllhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4088 schtasks.exe 2916 schtasks.exe 4932 schtasks.exe 4808 schtasks.exe 1596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 940 powershell.exe 940 powershell.exe 940 powershell.exe 2796 powershell.exe 2796 powershell.exe 2796 powershell.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe 5088 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 3004 39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 5088 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3004 wrote to memory of 4868 3004 39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b.exe 66 PID 3004 wrote to memory of 4868 3004 39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b.exe 66 PID 3004 wrote to memory of 4868 3004 39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b.exe 66 PID 4868 wrote to memory of 4204 4868 cmd.exe 68 PID 4868 wrote to memory of 4204 4868 cmd.exe 68 PID 4868 wrote to memory of 4204 4868 cmd.exe 68 PID 4868 wrote to memory of 940 4868 cmd.exe 69 PID 4868 wrote to memory of 940 4868 cmd.exe 69 PID 4868 wrote to memory of 940 4868 cmd.exe 69 PID 4868 wrote to memory of 2424 4868 cmd.exe 70 PID 4868 wrote to memory of 2424 4868 cmd.exe 70 PID 4868 wrote to memory of 2424 4868 cmd.exe 70 PID 4868 wrote to memory of 2796 4868 cmd.exe 71 PID 4868 wrote to memory of 2796 4868 cmd.exe 71 PID 4868 wrote to memory of 2796 4868 cmd.exe 71 PID 3004 wrote to memory of 5088 3004 39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b.exe 72 PID 3004 wrote to memory of 5088 3004 39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b.exe 72 PID 3004 wrote to memory of 5088 3004 39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b.exe 72 PID 5088 wrote to memory of 1480 5088 dllhost.exe 73 PID 5088 wrote to memory of 1480 5088 dllhost.exe 73 PID 5088 wrote to memory of 1480 5088 dllhost.exe 73 PID 5088 wrote to memory of 1400 5088 dllhost.exe 74 PID 5088 wrote to memory of 1400 5088 dllhost.exe 74 PID 5088 wrote to memory of 1400 5088 dllhost.exe 74 PID 5088 wrote to memory of 1776 5088 dllhost.exe 75 PID 5088 wrote to memory of 1776 5088 dllhost.exe 75 PID 5088 wrote to memory of 1776 5088 dllhost.exe 75 PID 5088 wrote to memory of 1020 5088 dllhost.exe 96 PID 5088 wrote to memory of 1020 5088 dllhost.exe 96 PID 5088 wrote to memory of 1020 5088 dllhost.exe 96 PID 5088 wrote to memory of 1920 5088 dllhost.exe 76 PID 5088 wrote to memory of 1920 5088 dllhost.exe 76 PID 5088 wrote to memory of 1920 5088 dllhost.exe 76 PID 5088 wrote to memory of 4672 5088 dllhost.exe 77 PID 5088 wrote to memory of 4672 5088 dllhost.exe 77 PID 5088 wrote to memory of 4672 5088 dllhost.exe 77 PID 5088 wrote to memory of 204 5088 dllhost.exe 78 PID 5088 wrote to memory of 204 5088 dllhost.exe 78 PID 5088 wrote to memory of 204 5088 dllhost.exe 78 PID 5088 wrote to memory of 2172 5088 dllhost.exe 79 PID 5088 wrote to memory of 2172 5088 dllhost.exe 79 PID 5088 wrote to memory of 2172 5088 dllhost.exe 79 PID 5088 wrote to memory of 2216 5088 dllhost.exe 95 PID 5088 wrote to memory of 2216 5088 dllhost.exe 95 PID 5088 wrote to memory of 2216 5088 dllhost.exe 95 PID 5088 wrote to memory of 748 5088 dllhost.exe 94 PID 5088 wrote to memory of 748 5088 dllhost.exe 94 PID 5088 wrote to memory of 748 5088 dllhost.exe 94 PID 5088 wrote to memory of 1588 5088 dllhost.exe 85 PID 5088 wrote to memory of 1588 5088 dllhost.exe 85 PID 5088 wrote to memory of 1588 5088 dllhost.exe 85 PID 5088 wrote to memory of 2684 5088 dllhost.exe 86 PID 5088 wrote to memory of 2684 5088 dllhost.exe 86 PID 5088 wrote to memory of 2684 5088 dllhost.exe 86 PID 1480 wrote to memory of 4808 1480 cmd.exe 97 PID 1480 wrote to memory of 4808 1480 cmd.exe 97 PID 1480 wrote to memory of 4808 1480 cmd.exe 97 PID 2172 wrote to memory of 1596 2172 cmd.exe 98 PID 2172 wrote to memory of 1596 2172 cmd.exe 98 PID 2172 wrote to memory of 1596 2172 cmd.exe 98 PID 1776 wrote to memory of 2916 1776 cmd.exe 100 PID 1776 wrote to memory of 2916 1776 cmd.exe 100 PID 1776 wrote to memory of 2916 1776 cmd.exe 100 PID 1020 wrote to memory of 4088 1020 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b.exe"C:\Users\Admin\AppData\Local\Temp\39bd9c5c4f811d8dcb54d08d6b001f55aec17e1b1379956774c638bcc64e3e8b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"2⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵PID:4204
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"3⤵PID:2424
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\ProgramData\Dllhost\dllhost.exe"C:\ProgramData\Dllhost\dllhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:4808
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:1400
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:2916
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:1920
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:4672
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:204
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9020" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:1588
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk7897" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:2684
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1364" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:748
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3403" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:2216
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3403" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:4932
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:4088
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵PID:96
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵PID:2164
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵PID:2132
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:5096
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
950KB
MD52ad4b3ae7935c6857df3985e9c643654
SHA1160dff9bc66ea348f2646674930a163c61b4d02e
SHA256f02360e2ac8c72416198bb2bb4dc32640d929f030f80ed2a72a2b03204074a81
SHA512706a95d3affbf30d8036a458fcf8b174655d25d683772ff610d393cf7a32b8c29822154d622364abea55df721f5152be585b9d254e9973bdf70d567f504e9ef4
-
Filesize
950KB
MD52ad4b3ae7935c6857df3985e9c643654
SHA1160dff9bc66ea348f2646674930a163c61b4d02e
SHA256f02360e2ac8c72416198bb2bb4dc32640d929f030f80ed2a72a2b03204074a81
SHA512706a95d3affbf30d8036a458fcf8b174655d25d683772ff610d393cf7a32b8c29822154d622364abea55df721f5152be585b9d254e9973bdf70d567f504e9ef4
-
Filesize
497B
MD513fda2ab01b83a5130842a5bab3892d3
SHA16e18e4b467cde054a63a95d4dfc030f156ecd215
SHA25676973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e
SHA512c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD50a66d5219a1c6d4d779c9ff09477247b
SHA1a792336dacb71f80b1b07707a77cca6ec03a7b27
SHA256703422c13537dd58f4d24a64ab2a45a1a1083628e317da310376704b19a54155
SHA512d2e954dbb06edcd76730d528e9d33d35614b122a770e33e9f15dc1a6d5879d90bbea2e4950dcc778b644d9669658af87c1ed714c85802b869070bc6c233b18a8