Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 00:03
Static task
static1
Behavioral task
behavioral1
Sample
db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe
Resource
win10v2004-20220812-en
General
-
Target
db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe
-
Size
192KB
-
MD5
7565c3c29e79a24dd0e6f5894ecb9450
-
SHA1
ab1156f2af054838e14f42839e25d0e619ba796a
-
SHA256
db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995
-
SHA512
e623dee382057752bd401aa64b5efaeb807f82db8a4913f4df3e8b919faf98513d744a689a256c867ae1f16d87999300d6c40e0a7e026388b4b9e2477b58d5dd
-
SSDEEP
3072:oi+bQQgdYR4sOcBRdQZd5g18xJ5kOpaPM9erTRcm4esUV:Sb/gdY7HCKKJNaEoPKmJ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 900 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe 1476 WaterMark.exe -
resource yara_rule behavioral1/memory/900-62-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/900-61-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/900-68-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1476-83-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/1476-85-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/1476-192-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1996 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe 1996 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe 900 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe 900 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1B8D.tmp db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1476 WaterMark.exe 1476 WaterMark.exe 1476 WaterMark.exe 1476 WaterMark.exe 1476 WaterMark.exe 1476 WaterMark.exe 1476 WaterMark.exe 1476 WaterMark.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1476 WaterMark.exe Token: SeDebugPrivilege 592 svchost.exe Token: SeDebugPrivilege 1476 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 900 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe 1476 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 900 1996 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe 28 PID 1996 wrote to memory of 900 1996 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe 28 PID 1996 wrote to memory of 900 1996 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe 28 PID 1996 wrote to memory of 900 1996 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe 28 PID 900 wrote to memory of 1476 900 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe 29 PID 900 wrote to memory of 1476 900 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe 29 PID 900 wrote to memory of 1476 900 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe 29 PID 900 wrote to memory of 1476 900 db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe 29 PID 1476 wrote to memory of 2008 1476 WaterMark.exe 30 PID 1476 wrote to memory of 2008 1476 WaterMark.exe 30 PID 1476 wrote to memory of 2008 1476 WaterMark.exe 30 PID 1476 wrote to memory of 2008 1476 WaterMark.exe 30 PID 1476 wrote to memory of 2008 1476 WaterMark.exe 30 PID 1476 wrote to memory of 2008 1476 WaterMark.exe 30 PID 1476 wrote to memory of 2008 1476 WaterMark.exe 30 PID 1476 wrote to memory of 2008 1476 WaterMark.exe 30 PID 1476 wrote to memory of 2008 1476 WaterMark.exe 30 PID 1476 wrote to memory of 2008 1476 WaterMark.exe 30 PID 1476 wrote to memory of 592 1476 WaterMark.exe 31 PID 1476 wrote to memory of 592 1476 WaterMark.exe 31 PID 1476 wrote to memory of 592 1476 WaterMark.exe 31 PID 1476 wrote to memory of 592 1476 WaterMark.exe 31 PID 1476 wrote to memory of 592 1476 WaterMark.exe 31 PID 1476 wrote to memory of 592 1476 WaterMark.exe 31 PID 1476 wrote to memory of 592 1476 WaterMark.exe 31 PID 1476 wrote to memory of 592 1476 WaterMark.exe 31 PID 1476 wrote to memory of 592 1476 WaterMark.exe 31 PID 1476 wrote to memory of 592 1476 WaterMark.exe 31 PID 592 wrote to memory of 260 592 svchost.exe 7 PID 592 wrote to memory of 260 592 svchost.exe 7 PID 592 wrote to memory of 260 592 svchost.exe 7 PID 592 wrote to memory of 260 592 svchost.exe 7 PID 592 wrote to memory of 260 592 svchost.exe 7 PID 592 wrote to memory of 332 592 svchost.exe 6 PID 592 wrote to memory of 332 592 svchost.exe 6 PID 592 wrote to memory of 332 592 svchost.exe 6 PID 592 wrote to memory of 332 592 svchost.exe 6 PID 592 wrote to memory of 332 592 svchost.exe 6 PID 592 wrote to memory of 368 592 svchost.exe 5 PID 592 wrote to memory of 368 592 svchost.exe 5 PID 592 wrote to memory of 368 592 svchost.exe 5 PID 592 wrote to memory of 368 592 svchost.exe 5 PID 592 wrote to memory of 368 592 svchost.exe 5 PID 592 wrote to memory of 384 592 svchost.exe 4 PID 592 wrote to memory of 384 592 svchost.exe 4 PID 592 wrote to memory of 384 592 svchost.exe 4 PID 592 wrote to memory of 384 592 svchost.exe 4 PID 592 wrote to memory of 384 592 svchost.exe 4 PID 592 wrote to memory of 420 592 svchost.exe 3 PID 592 wrote to memory of 420 592 svchost.exe 3 PID 592 wrote to memory of 420 592 svchost.exe 3 PID 592 wrote to memory of 420 592 svchost.exe 3 PID 592 wrote to memory of 420 592 svchost.exe 3 PID 592 wrote to memory of 464 592 svchost.exe 2 PID 592 wrote to memory of 464 592 svchost.exe 2 PID 592 wrote to memory of 464 592 svchost.exe 2 PID 592 wrote to memory of 464 592 svchost.exe 2 PID 592 wrote to memory of 464 592 svchost.exe 2 PID 592 wrote to memory of 480 592 svchost.exe 1 PID 592 wrote to memory of 480 592 svchost.exe 1 PID 592 wrote to memory of 480 592 svchost.exe 1 PID 592 wrote to memory of 480 592 svchost.exe 1 PID 592 wrote to memory of 480 592 svchost.exe 1 PID 592 wrote to memory of 488 592 svchost.exe 25
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:480
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:880
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵PID:1820
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:852
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1604
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:960
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1132
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1052
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:304
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:324
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:808
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:756
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:680
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:600
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:368
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe"C:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exeC:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2008
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1232
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD583a5fa4246ce7541bebc5e64bf0b01b6
SHA1bc92ac6ec1aec9702570ef975066278ca3effbb0
SHA2565ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a
SHA5121420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc
-
Filesize
120KB
MD583a5fa4246ce7541bebc5e64bf0b01b6
SHA1bc92ac6ec1aec9702570ef975066278ca3effbb0
SHA2565ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a
SHA5121420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc
-
C:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe
Filesize120KB
MD583a5fa4246ce7541bebc5e64bf0b01b6
SHA1bc92ac6ec1aec9702570ef975066278ca3effbb0
SHA2565ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a
SHA5121420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc
-
C:\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe
Filesize120KB
MD583a5fa4246ce7541bebc5e64bf0b01b6
SHA1bc92ac6ec1aec9702570ef975066278ca3effbb0
SHA2565ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a
SHA5121420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc
-
Filesize
120KB
MD583a5fa4246ce7541bebc5e64bf0b01b6
SHA1bc92ac6ec1aec9702570ef975066278ca3effbb0
SHA2565ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a
SHA5121420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc
-
Filesize
120KB
MD583a5fa4246ce7541bebc5e64bf0b01b6
SHA1bc92ac6ec1aec9702570ef975066278ca3effbb0
SHA2565ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a
SHA5121420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc
-
\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe
Filesize120KB
MD583a5fa4246ce7541bebc5e64bf0b01b6
SHA1bc92ac6ec1aec9702570ef975066278ca3effbb0
SHA2565ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a
SHA5121420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc
-
\Users\Admin\AppData\Local\Temp\db5cf9d0b882c6a918d4e2f290a48e241a75d376a1e53c894383d1eb33ad2995mgr.exe
Filesize120KB
MD583a5fa4246ce7541bebc5e64bf0b01b6
SHA1bc92ac6ec1aec9702570ef975066278ca3effbb0
SHA2565ad61430a72e3c3492995dc43cd48b0d449513f518bbc02de740b69f43bede2a
SHA5121420a5037f92049b933e01f20227f6b71093da7ed3b99e437759baed937152cb7ab9fc9f1aad1b3946beb97f3e498e38b0b7af3b506140d3c281540c1ee6a2bc