Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

88903d08f3...a1.exe

windows7-x64

10

88903d08f3...a1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88903d08f3fcb8438da72eb0a0b01deb4b0154b69e636df35f745b1aedd42fa1.exe

  • Size

    96KB

  • MD5

    54284d3c667dd6a26da9598714047caa

  • SHA1

    a24f0cd36dcf926aaf34892e91bcf6789d770fc6

  • SHA256

    88903d08f3fcb8438da72eb0a0b01deb4b0154b69e636df35f745b1aedd42fa1

  • SHA512

    151ddd215abada6a3fe4e36f8bab5c84ec166220c979f56fbcd136c8bfec82b3c3d48f3d699eed1d3d03dbaf02fae9e5678bc39516515b87a517c176bbfd17a4

  • SSDEEP

    768:s06R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9Y:yR0vxn3Pc0LCH9MtbvabUDzJYWu3B

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:460
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
          2⤵
            PID:756
          • C:\Windows\system32\taskhost.exe
            "taskhost.exe"
            2⤵
              PID:1224
            • C:\Windows\system32\sppsvc.exe
              C:\Windows\system32\sppsvc.exe
              2⤵
                PID:1680
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                2⤵
                  PID:1644
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                  2⤵
                    PID:1052
                  • C:\Windows\System32\spoolsv.exe
                    C:\Windows\System32\spoolsv.exe
                    2⤵
                      PID:452
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:336
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        2⤵
                          PID:888
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:844
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                            2⤵
                              PID:816
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k RPCSS
                              2⤵
                                PID:676
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k DcomLaunch
                                2⤵
                                  PID:600
                              • C:\Windows\system32\winlogon.exe
                                winlogon.exe
                                1⤵
                                  PID:416
                                • C:\Windows\system32\csrss.exe
                                  %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                  1⤵
                                    PID:376
                                  • C:\Windows\system32\wininit.exe
                                    wininit.exe
                                    1⤵
                                      PID:368
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:484
                                      • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                        wmiadap.exe /F /T /R
                                        1⤵
                                          PID:1136
                                        • C:\Windows\Explorer.EXE
                                          C:\Windows\Explorer.EXE
                                          1⤵
                                            PID:1396
                                            • C:\Users\Admin\AppData\Local\Temp\88903d08f3fcb8438da72eb0a0b01deb4b0154b69e636df35f745b1aedd42fa1.exe
                                              "C:\Users\Admin\AppData\Local\Temp\88903d08f3fcb8438da72eb0a0b01deb4b0154b69e636df35f745b1aedd42fa1.exe"
                                              2⤵
                                              • Loads dropped DLL
                                              • Drops file in Program Files directory
                                              • Suspicious use of UnmapMainImage
                                              • Suspicious use of WriteProcessMemory
                                              PID:916
                                              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                3⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of UnmapMainImage
                                                • Suspicious use of WriteProcessMemory
                                                PID:852
                                                • C:\Windows\SysWOW64\svchost.exe
                                                  C:\Windows\system32\svchost.exe
                                                  4⤵
                                                  • Modifies WinLogon for persistence
                                                  • Drops file in System32 directory
                                                  • Drops file in Program Files directory
                                                  PID:1724
                                                • C:\Windows\SysWOW64\svchost.exe
                                                  C:\Windows\system32\svchost.exe
                                                  4⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1312
                                          • C:\Windows\system32\Dwm.exe
                                            "C:\Windows\system32\Dwm.exe"
                                            1⤵
                                              PID:1340
                                            • C:\Windows\system32\csrss.exe
                                              %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                              1⤵
                                                PID:332
                                              • C:\Windows\System32\smss.exe
                                                \SystemRoot\System32\smss.exe
                                                1⤵
                                                  PID:260

                                                Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  96KB

                                                  MD5

                                                  54284d3c667dd6a26da9598714047caa

                                                  SHA1

                                                  a24f0cd36dcf926aaf34892e91bcf6789d770fc6

                                                  SHA256

                                                  88903d08f3fcb8438da72eb0a0b01deb4b0154b69e636df35f745b1aedd42fa1

                                                  SHA512

                                                  151ddd215abada6a3fe4e36f8bab5c84ec166220c979f56fbcd136c8bfec82b3c3d48f3d699eed1d3d03dbaf02fae9e5678bc39516515b87a517c176bbfd17a4

                                                  Download Submit

                                                • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  96KB

                                                  MD5

                                                  54284d3c667dd6a26da9598714047caa

                                                  SHA1

                                                  a24f0cd36dcf926aaf34892e91bcf6789d770fc6

                                                  SHA256

                                                  88903d08f3fcb8438da72eb0a0b01deb4b0154b69e636df35f745b1aedd42fa1

                                                  SHA512

                                                  151ddd215abada6a3fe4e36f8bab5c84ec166220c979f56fbcd136c8bfec82b3c3d48f3d699eed1d3d03dbaf02fae9e5678bc39516515b87a517c176bbfd17a4

                                                  Download Submit

                                                • \Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  96KB

                                                  MD5

                                                  54284d3c667dd6a26da9598714047caa

                                                  SHA1

                                                  a24f0cd36dcf926aaf34892e91bcf6789d770fc6

                                                  SHA256

                                                  88903d08f3fcb8438da72eb0a0b01deb4b0154b69e636df35f745b1aedd42fa1

                                                  SHA512

                                                  151ddd215abada6a3fe4e36f8bab5c84ec166220c979f56fbcd136c8bfec82b3c3d48f3d699eed1d3d03dbaf02fae9e5678bc39516515b87a517c176bbfd17a4

                                                  Download Submit

                                                • \Program Files (x86)\Microsoft\WaterMark.exe
                                                  Filesize

                                                  96KB

                                                  MD5

                                                  54284d3c667dd6a26da9598714047caa

                                                  SHA1

                                                  a24f0cd36dcf926aaf34892e91bcf6789d770fc6

                                                  SHA256

                                                  88903d08f3fcb8438da72eb0a0b01deb4b0154b69e636df35f745b1aedd42fa1

                                                  SHA512

                                                  151ddd215abada6a3fe4e36f8bab5c84ec166220c979f56fbcd136c8bfec82b3c3d48f3d699eed1d3d03dbaf02fae9e5678bc39516515b87a517c176bbfd17a4

                                                  Download Submit

                                                • memory/852-80-0x0000000000400000-0x0000000000436000-memory.dmp

                                                  Filesize

                                                  216KB

                                                  Download

                                                • memory/852-188-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/852-79-0x0000000000400000-0x0000000000436000-memory.dmp

                                                  Filesize

                                                  216KB

                                                  Download

                                                • memory/916-57-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/916-58-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/916-62-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                  Download

                                                • memory/916-54-0x0000000076871000-0x0000000076873000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/1312-83-0x0000000020010000-0x000000002001B000-memory.dmp

                                                  Filesize

                                                  44KB

                                                  Download

                                                • memory/1312-86-0x0000000020010000-0x000000002001B000-memory.dmp

                                                  Filesize

                                                  44KB

                                                  Download

                                                • memory/1724-75-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1724-81-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1724-71-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/1724-189-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download