Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
09/10/2022, 06:06
Static task
static1
Behavioral task
behavioral1
Sample
a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed.exe
Resource
win10-20220812-en
General
-
Target
a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed.exe
-
Size
733KB
-
MD5
d701e7ebc381460a623eb38f6e067819
-
SHA1
c4f77e40fbc63c8ba934e13253256f42ca71d90d
-
SHA256
a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed
-
SHA512
db5b9aa4f83fabcf4660e0375ee537de55d54cc4dbfa53da8b9657df47cda35771fe35ffeacb486c154857537226c8f937c2c012638deeaf8300827fbe918e4c
-
SSDEEP
768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1016 dllhost.exe -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe" dllhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4560 schtasks.exe 1360 schtasks.exe 4504 schtasks.exe 1744 schtasks.exe 1548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4288 powershell.exe 4288 powershell.exe 4288 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe 4368 powershell.exe 4368 powershell.exe 4368 powershell.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe 1016 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4288 powershell.exe Token: SeDebugPrivilege 4792 a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed.exe Token: SeDebugPrivilege 3828 powershell.exe Token: SeDebugPrivilege 4368 powershell.exe Token: SeDebugPrivilege 1016 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4792 wrote to memory of 4944 4792 a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed.exe 66 PID 4792 wrote to memory of 4944 4792 a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed.exe 66 PID 4792 wrote to memory of 4944 4792 a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed.exe 66 PID 4944 wrote to memory of 4388 4944 cmd.exe 67 PID 4944 wrote to memory of 4388 4944 cmd.exe 67 PID 4944 wrote to memory of 4388 4944 cmd.exe 67 PID 4944 wrote to memory of 4288 4944 cmd.exe 69 PID 4944 wrote to memory of 4288 4944 cmd.exe 69 PID 4944 wrote to memory of 4288 4944 cmd.exe 69 PID 4944 wrote to memory of 3828 4944 cmd.exe 70 PID 4944 wrote to memory of 3828 4944 cmd.exe 70 PID 4944 wrote to memory of 3828 4944 cmd.exe 70 PID 4944 wrote to memory of 4368 4944 cmd.exe 71 PID 4944 wrote to memory of 4368 4944 cmd.exe 71 PID 4944 wrote to memory of 4368 4944 cmd.exe 71 PID 4792 wrote to memory of 1016 4792 a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed.exe 72 PID 4792 wrote to memory of 1016 4792 a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed.exe 72 PID 4792 wrote to memory of 1016 4792 a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed.exe 72 PID 1016 wrote to memory of 4084 1016 dllhost.exe 73 PID 1016 wrote to memory of 4084 1016 dllhost.exe 73 PID 1016 wrote to memory of 4084 1016 dllhost.exe 73 PID 1016 wrote to memory of 4296 1016 dllhost.exe 74 PID 1016 wrote to memory of 4296 1016 dllhost.exe 74 PID 1016 wrote to memory of 4296 1016 dllhost.exe 74 PID 1016 wrote to memory of 956 1016 dllhost.exe 77 PID 1016 wrote to memory of 956 1016 dllhost.exe 77 PID 1016 wrote to memory of 956 1016 dllhost.exe 77 PID 1016 wrote to memory of 3008 1016 dllhost.exe 75 PID 1016 wrote to memory of 3008 1016 dllhost.exe 75 PID 1016 wrote to memory of 3008 1016 dllhost.exe 75 PID 1016 wrote to memory of 3572 1016 dllhost.exe 76 PID 1016 wrote to memory of 3572 1016 dllhost.exe 76 PID 1016 wrote to memory of 3572 1016 dllhost.exe 76 PID 1016 wrote to memory of 4428 1016 dllhost.exe 78 PID 1016 wrote to memory of 4428 1016 dllhost.exe 78 PID 1016 wrote to memory of 4428 1016 dllhost.exe 78 PID 1016 wrote to memory of 1272 1016 dllhost.exe 96 PID 1016 wrote to memory of 1272 1016 dllhost.exe 96 PID 1016 wrote to memory of 1272 1016 dllhost.exe 96 PID 1016 wrote to memory of 4952 1016 dllhost.exe 80 PID 1016 wrote to memory of 4952 1016 dllhost.exe 80 PID 1016 wrote to memory of 4952 1016 dllhost.exe 80 PID 1016 wrote to memory of 2228 1016 dllhost.exe 81 PID 1016 wrote to memory of 2228 1016 dllhost.exe 81 PID 1016 wrote to memory of 2228 1016 dllhost.exe 81 PID 1016 wrote to memory of 3948 1016 dllhost.exe 82 PID 1016 wrote to memory of 3948 1016 dllhost.exe 82 PID 1016 wrote to memory of 3948 1016 dllhost.exe 82 PID 1016 wrote to memory of 4304 1016 dllhost.exe 91 PID 1016 wrote to memory of 4304 1016 dllhost.exe 91 PID 1016 wrote to memory of 4304 1016 dllhost.exe 91 PID 1016 wrote to memory of 4344 1016 dllhost.exe 89 PID 1016 wrote to memory of 4344 1016 dllhost.exe 89 PID 1016 wrote to memory of 4344 1016 dllhost.exe 89 PID 3572 wrote to memory of 4560 3572 cmd.exe 97 PID 3572 wrote to memory of 4560 3572 cmd.exe 97 PID 3572 wrote to memory of 4560 3572 cmd.exe 97 PID 4084 wrote to memory of 4504 4084 cmd.exe 99 PID 4084 wrote to memory of 4504 4084 cmd.exe 99 PID 4084 wrote to memory of 4504 4084 cmd.exe 99 PID 3008 wrote to memory of 1360 3008 cmd.exe 98 PID 3008 wrote to memory of 1360 3008 cmd.exe 98 PID 3008 wrote to memory of 1360 3008 cmd.exe 98 PID 4952 wrote to memory of 1744 4952 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed.exe"C:\Users\Admin\AppData\Local\Temp\a98e224833552894b1717b036d5e40e8247a105b6e62da6da0a3e051979b7aed.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵PID:4388
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
-
C:\ProgramData\Dllhost\dllhost.exe"C:\ProgramData\Dllhost\dllhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:4504
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:4296
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:1360
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:4560
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:956
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:4428
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:1744
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3098" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:2228
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5376" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:3948
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk176" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:4344
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk176" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1582" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:4304
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵PID:1272
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵PID:5036
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:652
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵PID:4708
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:808
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵PID:4496
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:4632
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
961KB
MD59319d92066d7aec70fe1a0351c8b00ca
SHA1402d86b45cf6e52e118ce02bbe3e510950885edb
SHA2562147462f3398edbd92644892f568952d7d01a1c9bb49917f315a8040b23682b1
SHA5127cc533eaf85cc42546f997bb3f96245598b16d56ed7ef1fbb1a9f49d6b8afbb7a3e69f50f92a710befea5daeb9fe905f058429c41f4343cd7f7602c9d41429ac
-
Filesize
961KB
MD59319d92066d7aec70fe1a0351c8b00ca
SHA1402d86b45cf6e52e118ce02bbe3e510950885edb
SHA2562147462f3398edbd92644892f568952d7d01a1c9bb49917f315a8040b23682b1
SHA5127cc533eaf85cc42546f997bb3f96245598b16d56ed7ef1fbb1a9f49d6b8afbb7a3e69f50f92a710befea5daeb9fe905f058429c41f4343cd7f7602c9d41429ac
-
Filesize
497B
MD513fda2ab01b83a5130842a5bab3892d3
SHA16e18e4b467cde054a63a95d4dfc030f156ecd215
SHA25676973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e
SHA512c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD5dd528b8761943dfb22d51fb2174cea1d
SHA1802bf831b5d9658d14e73549df6849d19be910ab
SHA256aae511ebb2e722eefc9a5807ed72702fe909ae7e9a4b835b089448b4481c1db8
SHA512835eaaeebbdddf2791d482a4a48c081447b89acba67005ea769f0382d19c3612d6e4015eed3df4fd42f5d1a9183025a7243291ed71d98639ce44d99c195d2dc1
-
Filesize
18KB
MD5c5e512605e1107a886332f259e75f0fe
SHA1a718117973b460d505e82806e611e662aa649939
SHA256ed60ee3a601ca8951c0bfd54d880309745590c07c3ce953471bf377f3345eec5
SHA5120bd0cdc33b90c250c8c4892c57bc341d62fe16eca018d0837af9c650130da9212cf55a30b03e13572d9a01d70d38a73864f40829f8b3dbbce7bda36b783866b7