Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe
Resource
win10v2004-20220812-en
General
-
Target
93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe
-
Size
236KB
-
MD5
15bd2eb33c00b4771079227eb1b7eb90
-
SHA1
0ca58f908247fb0fcc8271558501cbac65d17132
-
SHA256
93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37
-
SHA512
e157b160733398a71f3bdcb1c2338c37d3fabc3fdb6e39e95cf5c5296be5d267b610f68ea722fcca628686efa4e0f809b7a45ac32f9b48d1534627dcee409dc6
-
SSDEEP
3072:eKXxdEuTxsiVT0MjuV+pARwF/zQJLNP2yZroO70YVdBkKpkcpe2gvU:1dEuTxbB/pAulOLx/ZceBkNseJU
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\93ED4XRKS0.exe = "C:\\Users\\Admin\\AppData\\Roaming\\93ED4XRKS0.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\93ED4XRKS0.exe" 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCCCA2D7-3C3D-6D0D-7FFF-CA1A5A7CA1C8} 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCCCA2D7-3C3D-6D0D-7FFF-CA1A5A7CA1C8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\93ED4XRKS0.exe" 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{DCCCA2D7-3C3D-6D0D-7FFF-CA1A5A7CA1C8} 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components\{DCCCA2D7-3C3D-6D0D-7FFF-CA1A5A7CA1C8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\93ED4XRKS0.exe" 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe -
resource yara_rule behavioral1/memory/1280-57-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/1280-60-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/1280-59-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/1280-64-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/1280-65-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/1280-78-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\93ED4XRKS0.exe" 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\93ED4XRKS0.exe" 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1600 set thread context of 1280 1600 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 27 -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1000 reg.exe 1504 reg.exe 536 reg.exe 1100 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeCreateTokenPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeAssignPrimaryTokenPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeLockMemoryPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeIncreaseQuotaPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeMachineAccountPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeTcbPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeSecurityPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeTakeOwnershipPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeLoadDriverPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeSystemProfilePrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeSystemtimePrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeProfSingleProcessPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeIncBasePriorityPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeCreatePagefilePrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeCreatePermanentPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeBackupPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeRestorePrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeShutdownPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeDebugPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeAuditPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeSystemEnvironmentPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeChangeNotifyPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeRemoteShutdownPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeUndockPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeSyncAgentPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeEnableDelegationPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeManageVolumePrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeImpersonatePrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeCreateGlobalPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: 31 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: 32 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: 33 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: 34 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: 35 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe Token: SeDebugPrivilege 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1600 wrote to memory of 1280 1600 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 27 PID 1600 wrote to memory of 1280 1600 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 27 PID 1600 wrote to memory of 1280 1600 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 27 PID 1600 wrote to memory of 1280 1600 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 27 PID 1600 wrote to memory of 1280 1600 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 27 PID 1600 wrote to memory of 1280 1600 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 27 PID 1600 wrote to memory of 1280 1600 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 27 PID 1280 wrote to memory of 688 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 28 PID 1280 wrote to memory of 688 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 28 PID 1280 wrote to memory of 688 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 28 PID 1280 wrote to memory of 688 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 28 PID 1280 wrote to memory of 580 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 30 PID 1280 wrote to memory of 580 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 30 PID 1280 wrote to memory of 580 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 30 PID 1280 wrote to memory of 580 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 30 PID 1280 wrote to memory of 1700 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 34 PID 1280 wrote to memory of 1700 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 34 PID 1280 wrote to memory of 1700 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 34 PID 1280 wrote to memory of 1700 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 34 PID 1280 wrote to memory of 1068 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 33 PID 1280 wrote to memory of 1068 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 33 PID 1280 wrote to memory of 1068 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 33 PID 1280 wrote to memory of 1068 1280 93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe 33 PID 688 wrote to memory of 1000 688 cmd.exe 36 PID 688 wrote to memory of 1000 688 cmd.exe 36 PID 688 wrote to memory of 1000 688 cmd.exe 36 PID 688 wrote to memory of 1000 688 cmd.exe 36 PID 580 wrote to memory of 1504 580 cmd.exe 37 PID 580 wrote to memory of 1504 580 cmd.exe 37 PID 580 wrote to memory of 1504 580 cmd.exe 37 PID 580 wrote to memory of 1504 580 cmd.exe 37 PID 1700 wrote to memory of 536 1700 cmd.exe 38 PID 1700 wrote to memory of 536 1700 cmd.exe 38 PID 1700 wrote to memory of 536 1700 cmd.exe 38 PID 1700 wrote to memory of 536 1700 cmd.exe 38 PID 1068 wrote to memory of 1100 1068 cmd.exe 39 PID 1068 wrote to memory of 1100 1068 cmd.exe 39 PID 1068 wrote to memory of 1100 1068 cmd.exe 39 PID 1068 wrote to memory of 1100 1068 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe"C:\Users\Admin\AppData\Local\Temp\93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exeC:\Users\Admin\AppData\Local\Temp\93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\93f8ef9a878ac66d6dd24fcb4d3399f8e245841639f85b1aa90d558cb26aee37.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1504
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\93ED4XRKS0.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\93ED4XRKS0.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\93ED4XRKS0.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\93ED4XRKS0.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:536
-
-
-