Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 12:30
Static task
static1
Behavioral task
behavioral1
Sample
4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe
Resource
win7-20220901-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe
-
Size
573KB
-
MD5
91071af657e8f3ff71e5171e96d1b2e0
-
SHA1
e9ccab81aaa323a6d53ea62f252aeb28745374b1
-
SHA256
4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f
-
SHA512
234a3a4227f808112a5f1a571c719e157987883afe657622ce0942661d70c7762fb9e302cf39aede322d8a7985c6b02a92040b5e10812f7b50b72501583b0191
-
SSDEEP
6144:7tMcZQNxogdOmTq2tfBTgBcJhbn5s0bgGqvfNa6soxqw6U4k6+8rNp6t2:2hds2t5sBan5skgGsNns8fKrNp6E
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 992 cdbyNmvCqDXxYbt.exe -
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" Process not Found -
Deletes itself 1 IoCs
pid Process 992 cdbyNmvCqDXxYbt.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\tu2iz71q8f3.dll Process not Found File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\tu2iz71q8f3.dll Process not Found File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Process not Found -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\cdbyNmvCqDXxYbt.exe 4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe File created C:\Windows\cdbyNmvCqDXxYbt.exe Process not Found -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Process not Found Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E} Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadDecisionReason = "1" Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadDecision = "0" Process not Found Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDecisionReason = "1" Process not Found Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDecision = "0" Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-03-fd-b3-6a-ca\WpadDecisionTime = e0efa3f8b6e3d801 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadNetworkName = "Network 2" Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\WpadDecisionTime = e0efa3f8b6e3d801 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Process not Found Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3FC8BC12-6529-4CF7-93D5-68187D02130E}\76-03-fd-b3-6a-ca Process not Found Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Process not Found Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2028 4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe 992 cdbyNmvCqDXxYbt.exe 992 cdbyNmvCqDXxYbt.exe 992 cdbyNmvCqDXxYbt.exe 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found 592 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 992 cdbyNmvCqDXxYbt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2028 4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe Token: SeDebugPrivilege 992 cdbyNmvCqDXxYbt.exe Token: SeDebugPrivilege 592 Process not Found -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2028 4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe 992 cdbyNmvCqDXxYbt.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2028 wrote to memory of 992 2028 4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe 27 PID 2028 wrote to memory of 992 2028 4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe 27 PID 2028 wrote to memory of 992 2028 4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe 27 PID 2028 wrote to memory of 992 2028 4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe"C:\Users\Admin\AppData\Local\Temp\4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\cdbyNmvCqDXxYbt.exeC:\Users\Admin\AppData\Local\Temp\4aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f.exe2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:992
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
573KB
MD591071af657e8f3ff71e5171e96d1b2e0
SHA1e9ccab81aaa323a6d53ea62f252aeb28745374b1
SHA2564aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f
SHA512234a3a4227f808112a5f1a571c719e157987883afe657622ce0942661d70c7762fb9e302cf39aede322d8a7985c6b02a92040b5e10812f7b50b72501583b0191
-
Filesize
573KB
MD591071af657e8f3ff71e5171e96d1b2e0
SHA1e9ccab81aaa323a6d53ea62f252aeb28745374b1
SHA2564aafdf00c039442993b3f62da1bb692ecfef219e73c05e0613f8f7c2d5b47e5f
SHA512234a3a4227f808112a5f1a571c719e157987883afe657622ce0942661d70c7762fb9e302cf39aede322d8a7985c6b02a92040b5e10812f7b50b72501583b0191