Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 00:13
Static task
static1
Behavioral task
behavioral1
Sample
13619f1852111ddb9f7ab75fd5469c7d34ae7b43e12b6f67624f5fd27dd4c7a8.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
13619f1852111ddb9f7ab75fd5469c7d34ae7b43e12b6f67624f5fd27dd4c7a8.dll
Resource
win10v2004-20220812-en
General
-
Target
13619f1852111ddb9f7ab75fd5469c7d34ae7b43e12b6f67624f5fd27dd4c7a8.dll
-
Size
160KB
-
MD5
7d2a383d85c560e3598dbc7f0b41bf38
-
SHA1
6610aca6cb5adfc76895b183540e787ce3ef5725
-
SHA256
13619f1852111ddb9f7ab75fd5469c7d34ae7b43e12b6f67624f5fd27dd4c7a8
-
SHA512
ce397605d064d728e78018d5be310982b552bccff7b93cf80e243bb3f1b186f64ccca48bdee093a9329cb39cbacc47b9bd4e617d4337201ec26e52ea5f73e28c
-
SSDEEP
3072:5ibTTp78CcWfJkicFUQRIpvKQecm8ABDNHX:KT14pU8IpvKQJaDxX
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2008 rundll32mgr.exe 1392 WaterMark.exe -
resource yara_rule behavioral1/memory/2008-66-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1392-81-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1392-206-0x0000000000400000-0x0000000000426000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 840 rundll32.exe 840 rundll32.exe 2008 rundll32mgr.exe 2008 rundll32mgr.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1ED7.tmp rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1612 840 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1392 WaterMark.exe 1392 WaterMark.exe 1392 WaterMark.exe 1392 WaterMark.exe 1392 WaterMark.exe 1392 WaterMark.exe 1392 WaterMark.exe 1392 WaterMark.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe 776 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1392 WaterMark.exe Token: SeDebugPrivilege 776 svchost.exe Token: SeDebugPrivilege 840 rundll32.exe Token: SeDebugPrivilege 1612 WerFault.exe Token: SeDebugPrivilege 1392 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1000 wrote to memory of 840 1000 rundll32.exe 27 PID 1000 wrote to memory of 840 1000 rundll32.exe 27 PID 1000 wrote to memory of 840 1000 rundll32.exe 27 PID 1000 wrote to memory of 840 1000 rundll32.exe 27 PID 1000 wrote to memory of 840 1000 rundll32.exe 27 PID 1000 wrote to memory of 840 1000 rundll32.exe 27 PID 1000 wrote to memory of 840 1000 rundll32.exe 27 PID 840 wrote to memory of 2008 840 rundll32.exe 28 PID 840 wrote to memory of 2008 840 rundll32.exe 28 PID 840 wrote to memory of 2008 840 rundll32.exe 28 PID 840 wrote to memory of 2008 840 rundll32.exe 28 PID 840 wrote to memory of 1612 840 rundll32.exe 29 PID 840 wrote to memory of 1612 840 rundll32.exe 29 PID 840 wrote to memory of 1612 840 rundll32.exe 29 PID 840 wrote to memory of 1612 840 rundll32.exe 29 PID 2008 wrote to memory of 1392 2008 rundll32mgr.exe 30 PID 2008 wrote to memory of 1392 2008 rundll32mgr.exe 30 PID 2008 wrote to memory of 1392 2008 rundll32mgr.exe 30 PID 2008 wrote to memory of 1392 2008 rundll32mgr.exe 30 PID 1392 wrote to memory of 344 1392 WaterMark.exe 31 PID 1392 wrote to memory of 344 1392 WaterMark.exe 31 PID 1392 wrote to memory of 344 1392 WaterMark.exe 31 PID 1392 wrote to memory of 344 1392 WaterMark.exe 31 PID 1392 wrote to memory of 344 1392 WaterMark.exe 31 PID 1392 wrote to memory of 344 1392 WaterMark.exe 31 PID 1392 wrote to memory of 344 1392 WaterMark.exe 31 PID 1392 wrote to memory of 344 1392 WaterMark.exe 31 PID 1392 wrote to memory of 344 1392 WaterMark.exe 31 PID 1392 wrote to memory of 344 1392 WaterMark.exe 31 PID 1392 wrote to memory of 776 1392 WaterMark.exe 32 PID 1392 wrote to memory of 776 1392 WaterMark.exe 32 PID 1392 wrote to memory of 776 1392 WaterMark.exe 32 PID 1392 wrote to memory of 776 1392 WaterMark.exe 32 PID 1392 wrote to memory of 776 1392 WaterMark.exe 32 PID 1392 wrote to memory of 776 1392 WaterMark.exe 32 PID 1392 wrote to memory of 776 1392 WaterMark.exe 32 PID 1392 wrote to memory of 776 1392 WaterMark.exe 32 PID 1392 wrote to memory of 776 1392 WaterMark.exe 32 PID 1392 wrote to memory of 776 1392 WaterMark.exe 32 PID 776 wrote to memory of 260 776 svchost.exe 7 PID 776 wrote to memory of 260 776 svchost.exe 7 PID 776 wrote to memory of 260 776 svchost.exe 7 PID 776 wrote to memory of 260 776 svchost.exe 7 PID 776 wrote to memory of 260 776 svchost.exe 7 PID 776 wrote to memory of 336 776 svchost.exe 6 PID 776 wrote to memory of 336 776 svchost.exe 6 PID 776 wrote to memory of 336 776 svchost.exe 6 PID 776 wrote to memory of 336 776 svchost.exe 6 PID 776 wrote to memory of 336 776 svchost.exe 6 PID 776 wrote to memory of 372 776 svchost.exe 3 PID 776 wrote to memory of 372 776 svchost.exe 3 PID 776 wrote to memory of 372 776 svchost.exe 3 PID 776 wrote to memory of 372 776 svchost.exe 3 PID 776 wrote to memory of 372 776 svchost.exe 3 PID 776 wrote to memory of 380 776 svchost.exe 1 PID 776 wrote to memory of 380 776 svchost.exe 1 PID 776 wrote to memory of 380 776 svchost.exe 1 PID 776 wrote to memory of 380 776 svchost.exe 1 PID 776 wrote to memory of 380 776 svchost.exe 1 PID 776 wrote to memory of 420 776 svchost.exe 2 PID 776 wrote to memory of 420 776 svchost.exe 2 PID 776 wrote to memory of 420 776 svchost.exe 2 PID 776 wrote to memory of 420 776 svchost.exe 2 PID 776 wrote to memory of 420 776 svchost.exe 2
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:380
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1116
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:980
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1240
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1060
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:540
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:324
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:888
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:856
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:820
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:756
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:480
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:1972
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1396
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13619f1852111ddb9f7ab75fd5469c7d34ae7b43e12b6f67624f5fd27dd4c7a8.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13619f1852111ddb9f7ab75fd5469c7d34ae7b43e12b6f67624f5fd27dd4c7a8.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:344
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 2284⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5186a45a9b3189fdb56d59479d6f5fa85
SHA18be5be86d5aba4b3e6f4af077a25bdc9d1de6610
SHA256bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743
SHA512bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7
-
Filesize
120KB
MD5186a45a9b3189fdb56d59479d6f5fa85
SHA18be5be86d5aba4b3e6f4af077a25bdc9d1de6610
SHA256bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743
SHA512bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7
-
Filesize
120KB
MD5186a45a9b3189fdb56d59479d6f5fa85
SHA18be5be86d5aba4b3e6f4af077a25bdc9d1de6610
SHA256bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743
SHA512bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7
-
Filesize
120KB
MD5186a45a9b3189fdb56d59479d6f5fa85
SHA18be5be86d5aba4b3e6f4af077a25bdc9d1de6610
SHA256bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743
SHA512bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7
-
Filesize
120KB
MD5186a45a9b3189fdb56d59479d6f5fa85
SHA18be5be86d5aba4b3e6f4af077a25bdc9d1de6610
SHA256bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743
SHA512bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7
-
Filesize
120KB
MD5186a45a9b3189fdb56d59479d6f5fa85
SHA18be5be86d5aba4b3e6f4af077a25bdc9d1de6610
SHA256bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743
SHA512bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7
-
Filesize
120KB
MD5186a45a9b3189fdb56d59479d6f5fa85
SHA18be5be86d5aba4b3e6f4af077a25bdc9d1de6610
SHA256bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743
SHA512bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7
-
Filesize
120KB
MD5186a45a9b3189fdb56d59479d6f5fa85
SHA18be5be86d5aba4b3e6f4af077a25bdc9d1de6610
SHA256bf449f575154998c7449749da4175c377aa6f617f82effc079c85dd5e7df8743
SHA512bcfa06d1084d889cd3b5b3f5f5941af1e0fcdec850213a00bba709545b8f20b1acdbd480b5bc038e5010fce3f4a8ce972a6cc1e00a5012921cdc6b663daac0b7