Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
180s -
max time network
207s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14/10/2022, 10:28
Static task
static1
Behavioral task
behavioral1
Sample
053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe
Resource
win10v2004-20220812-en
General
-
Target
053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe
-
Size
224KB
-
MD5
002c15b20b531a264bb8fdb063e4e380
-
SHA1
910ff5ede185aea8444c3cd125d96d39c6668515
-
SHA256
053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5
-
SHA512
c3a506d98e7e13f4c081e86c04d274fb2d2a02f6bc1970f7c46c30719bb46cdd589f42ced6e3788d068fa538d4f7e797247616ce2277b6251655f0c0ea8529df
-
SSDEEP
3072:RlxBsqIOltCis+GkfDDffffNfffLffffnWz1MknbkVnNx1XvdfmyHzre:RlrUMkbkVdFf9W
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pxnjny = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\themes\\Pxnjny.exe" mspaint.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update Installer = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate\\Updater.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run mspaint.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\W: svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1108 set thread context of 1704 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 45 -
Program crash 1 IoCs
pid pid_target Process procid_target 1756 1096 WerFault.exe 29 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2000 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1096 svchost.exe 1704 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 1704 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1704 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe Token: SeDebugPrivilege 1096 svchost.exe Token: SeDebugPrivilege 1744 calc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1108 wrote to memory of 1096 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 29 PID 1108 wrote to memory of 1096 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 29 PID 1108 wrote to memory of 1096 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 29 PID 1108 wrote to memory of 1096 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 29 PID 1108 wrote to memory of 1744 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 28 PID 1108 wrote to memory of 1744 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 28 PID 1108 wrote to memory of 1744 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 28 PID 1108 wrote to memory of 1744 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 28 PID 1108 wrote to memory of 1744 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 28 PID 1108 wrote to memory of 1096 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 29 PID 1108 wrote to memory of 1096 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 29 PID 1108 wrote to memory of 1744 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 28 PID 1096 wrote to memory of 1564 1096 svchost.exe 30 PID 1096 wrote to memory of 1564 1096 svchost.exe 30 PID 1096 wrote to memory of 1564 1096 svchost.exe 30 PID 1096 wrote to memory of 1564 1096 svchost.exe 30 PID 1096 wrote to memory of 1064 1096 svchost.exe 32 PID 1096 wrote to memory of 1064 1096 svchost.exe 32 PID 1096 wrote to memory of 1064 1096 svchost.exe 32 PID 1096 wrote to memory of 1064 1096 svchost.exe 32 PID 1096 wrote to memory of 828 1096 svchost.exe 34 PID 1096 wrote to memory of 828 1096 svchost.exe 34 PID 1096 wrote to memory of 828 1096 svchost.exe 34 PID 1096 wrote to memory of 828 1096 svchost.exe 34 PID 1096 wrote to memory of 1940 1096 svchost.exe 36 PID 1096 wrote to memory of 1940 1096 svchost.exe 36 PID 1096 wrote to memory of 1940 1096 svchost.exe 36 PID 1096 wrote to memory of 1940 1096 svchost.exe 36 PID 1096 wrote to memory of 580 1096 svchost.exe 38 PID 1096 wrote to memory of 580 1096 svchost.exe 38 PID 1096 wrote to memory of 580 1096 svchost.exe 38 PID 1096 wrote to memory of 580 1096 svchost.exe 38 PID 1096 wrote to memory of 1284 1096 svchost.exe 40 PID 1096 wrote to memory of 1284 1096 svchost.exe 40 PID 1096 wrote to memory of 1284 1096 svchost.exe 40 PID 1096 wrote to memory of 1284 1096 svchost.exe 40 PID 1096 wrote to memory of 2000 1096 svchost.exe 43 PID 1096 wrote to memory of 2000 1096 svchost.exe 43 PID 1096 wrote to memory of 2000 1096 svchost.exe 43 PID 1096 wrote to memory of 2000 1096 svchost.exe 43 PID 1096 wrote to memory of 988 1096 svchost.exe 44 PID 1096 wrote to memory of 988 1096 svchost.exe 44 PID 1096 wrote to memory of 988 1096 svchost.exe 44 PID 1096 wrote to memory of 988 1096 svchost.exe 44 PID 1096 wrote to memory of 988 1096 svchost.exe 44 PID 1108 wrote to memory of 1704 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 45 PID 1108 wrote to memory of 1704 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 45 PID 1108 wrote to memory of 1704 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 45 PID 1108 wrote to memory of 1704 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 45 PID 1108 wrote to memory of 1704 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 45 PID 1108 wrote to memory of 1704 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 45 PID 1108 wrote to memory of 1704 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 45 PID 1108 wrote to memory of 1704 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 45 PID 1108 wrote to memory of 1704 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 45 PID 1108 wrote to memory of 1704 1108 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 45 PID 1704 wrote to memory of 1096 1704 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 29 PID 1704 wrote to memory of 1096 1704 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 29 PID 1704 wrote to memory of 1744 1704 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 28 PID 1704 wrote to memory of 1744 1704 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 28 PID 1704 wrote to memory of 988 1704 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 44 PID 1704 wrote to memory of 988 1704 053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe 44 PID 1096 wrote to memory of 1756 1096 svchost.exe 46 PID 1096 wrote to memory of 1756 1096 svchost.exe 46 PID 1096 wrote to memory of 1756 1096 svchost.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe"C:\Users\Admin\AppData\Local\Temp\053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\SysWOW64\calc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn "Windows Update Check - 0x05860166" /f3⤵PID:1564
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn "Windows Update Check - 0x0E7302EC" /f3⤵PID:1064
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn "Windows Update Check - 0x5C000766" /f3⤵PID:828
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn "Windows Update Check - 0x6E0A0825" /f3⤵PID:1940
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn "Windows Debugger" /f3⤵PID:580
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /query /tn "Windows Updater"3⤵PID:1284
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Updater" /TR "C:\Users\Admin\AppData\Roaming\WindowsUpdate\Updater.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2000
-
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\SysWOW64\mspaint.exe"3⤵
- Adds Run key to start application
PID:988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 8363⤵
- Program crash
PID:1756
-
-
-
C:\Users\Admin\AppData\Local\Temp\053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe"C:\Users\Admin\AppData\Local\Temp\053430d68549e2ee4fbc14e8abf29f1b4edfda8810429c674e1654eef88f03b5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
-