Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

deeef3093a...c5.exe

windows7-x64

10

deeef3093a...c5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 07:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe

  • Size

    123KB

  • MD5

    811407dad7866484579fadb44b4c003a

  • SHA1

    a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

  • SHA256

    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

  • SHA512

    615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

  • SSDEEP

    768:n06R0UtgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9ICW:9R0Zn3Pc0LCH9MtbvabUDzJYWu3B

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:480
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
          2⤵
            PID:740
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs
            2⤵
              PID:872
              • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                wmiadap.exe /F /T /R
                3⤵
                  PID:836
              • C:\Windows\system32\sppsvc.exe
                C:\Windows\system32\sppsvc.exe
                2⤵
                  PID:1936
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                  2⤵
                    PID:1644
                  • C:\Windows\system32\taskhost.exe
                    "taskhost.exe"
                    2⤵
                      PID:1128
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                      2⤵
                        PID:1084
                      • C:\Windows\System32\spoolsv.exe
                        C:\Windows\System32\spoolsv.exe
                        2⤵
                          PID:936
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k NetworkService
                          2⤵
                            PID:300
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService
                            2⤵
                              PID:824
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                              2⤵
                                PID:792
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                2⤵
                                  PID:660
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch
                                  2⤵
                                    PID:584
                                • C:\Windows\system32\winlogon.exe
                                  winlogon.exe
                                  1⤵
                                    PID:420
                                  • C:\Windows\system32\csrss.exe
                                    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                    1⤵
                                      PID:384
                                    • C:\Windows\system32\wininit.exe
                                      wininit.exe
                                      1⤵
                                        PID:372
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:488
                                        • C:\Windows\system32\csrss.exe
                                          %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                          1⤵
                                            PID:332
                                          • C:\Windows\System32\smss.exe
                                            \SystemRoot\System32\smss.exe
                                            1⤵
                                              PID:260
                                            • C:\Windows\system32\wbem\wmiprvse.exe
                                              C:\Windows\system32\wbem\wmiprvse.exe
                                              1⤵
                                                PID:1908
                                              • C:\Windows\Explorer.EXE
                                                C:\Windows\Explorer.EXE
                                                1⤵
                                                  PID:1224
                                                  • C:\Users\Admin\AppData\Local\Temp\deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe"
                                                    2⤵
                                                    • Loads dropped DLL
                                                    • Drops file in Program Files directory
                                                    • Suspicious use of UnmapMainImage
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:2000
                                                    • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                      3⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of UnmapMainImage
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2044
                                                      • C:\Windows\SysWOW64\svchost.exe
                                                        C:\Windows\system32\svchost.exe
                                                        4⤵
                                                        • Modifies WinLogon for persistence
                                                        • Drops file in System32 directory
                                                        • Drops file in Program Files directory
                                                        PID:1536
                                                      • C:\Windows\SysWOW64\svchost.exe
                                                        C:\Windows\system32\svchost.exe
                                                        4⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:1272
                                                • C:\Windows\system32\Dwm.exe
                                                  "C:\Windows\system32\Dwm.exe"
                                                  1⤵
                                                    PID:1192

                                                  Network

                                                  • flag-us
                                                    DNS
                                                    google.com
                                                    svchost.exe
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    google.com
                                                    IN A
                                                    Response
                                                    google.com
                                                    IN A
                                                    142.250.179.142
                                                  • flag-us
                                                    DNS
                                                    rterybrstutnrsbberve.com
                                                    svchost.exe
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    rterybrstutnrsbberve.com
                                                    IN A
                                                    Response
                                                    rterybrstutnrsbberve.com
                                                    IN A
                                                    204.95.99.221
                                                  • flag-us
                                                    DNS
                                                    erwbtkidthetcwerc.com
                                                    svchost.exe
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    erwbtkidthetcwerc.com
                                                    IN A
                                                    Response
                                                    erwbtkidthetcwerc.com
                                                    IN A
                                                    204.95.99.221
                                                  • flag-us
                                                    DNS
                                                    rvbwtbeitwjeitv.com
                                                    svchost.exe
                                                    Remote address:
                                                    8.8.8.8:53
                                                    Request
                                                    rvbwtbeitwjeitv.com
                                                    IN A
                                                    Response
                                                    rvbwtbeitwjeitv.com
                                                    IN A
                                                    204.95.99.221
                                                  • 91.220.62.30:443
                                                    svchost.exe
                                                    152 B
                                                     3
                                                  • 142.250.179.142:80
                                                    google.com
                                                    svchost.exe
                                                    98 B
                                                     52 B
                                                     2
                                                    1
                                                  • 91.220.62.30:443
                                                    svchost.exe
                                                    152 B
                                                     3
                                                  • 204.95.99.221:443
                                                    rterybrstutnrsbberve.com
                                                    https
                                                    svchost.exe
                                                    558 B
                                                     132 B
                                                     12
                                                    3
                                                  • 204.95.99.221:443
                                                    rterybrstutnrsbberve.com
                                                    https
                                                    svchost.exe
                                                    1.2kB
                                                     132 B
                                                     14
                                                    3
                                                  • 204.95.99.221:443
                                                    erwbtkidthetcwerc.com
                                                    https
                                                    svchost.exe
                                                    558 B
                                                     132 B
                                                     12
                                                    3
                                                  • 204.95.99.221:443
                                                    erwbtkidthetcwerc.com
                                                    https
                                                    svchost.exe
                                                    978 B
                                                     132 B
                                                     12
                                                    3
                                                  • 204.95.99.221:443
                                                    rvbwtbeitwjeitv.com
                                                    https
                                                    svchost.exe
                                                    558 B
                                                     132 B
                                                     12
                                                    3
                                                  • 204.95.99.221:443
                                                    rvbwtbeitwjeitv.com
                                                    https
                                                    svchost.exe
                                                    978 B
                                                     132 B
                                                     12
                                                    3
                                                  • 142.250.179.142:80
                                                    google.com
                                                    svchost.exe
                                                    98 B
                                                     52 B
                                                     2
                                                    1
                                                  • 8.8.8.8:53
                                                    google.com
                                                    dns
                                                    svchost.exe
                                                    56 B
                                                     72 B
                                                     1
                                                    1

                                                    DNS Request

                                                    google.com

                                                    DNS Response

                                                    142.250.179.142

                                                  • 8.8.8.8:53
                                                    rterybrstutnrsbberve.com
                                                    dns
                                                    svchost.exe
                                                    70 B
                                                     86 B
                                                     1
                                                    1

                                                    DNS Request

                                                    rterybrstutnrsbberve.com

                                                    DNS Response

                                                    204.95.99.221

                                                  • 8.8.8.8:53
                                                    erwbtkidthetcwerc.com
                                                    dns
                                                    svchost.exe
                                                    67 B
                                                     83 B
                                                     1
                                                    1

                                                    DNS Request

                                                    erwbtkidthetcwerc.com

                                                    DNS Response

                                                    204.95.99.221

                                                  • 8.8.8.8:53
                                                    rvbwtbeitwjeitv.com
                                                    dns
                                                    svchost.exe
                                                    65 B
                                                     81 B
                                                     1
                                                    1

                                                    DNS Request

                                                    rvbwtbeitwjeitv.com

                                                    DNS Response

                                                    204.95.99.221

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    811407dad7866484579fadb44b4c003a

                                                    SHA1

                                                    a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

                                                    SHA256

                                                    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

                                                    SHA512

                                                    615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

                                                    Download Submit

                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    811407dad7866484579fadb44b4c003a

                                                    SHA1

                                                    a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

                                                    SHA256

                                                    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

                                                    SHA512

                                                    615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

                                                    Download Submit

                                                  • \Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    811407dad7866484579fadb44b4c003a

                                                    SHA1

                                                    a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

                                                    SHA256

                                                    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

                                                    SHA512

                                                    615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

                                                    Download Submit

                                                  • \Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    811407dad7866484579fadb44b4c003a

                                                    SHA1

                                                    a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

                                                    SHA256

                                                    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

                                                    SHA512

                                                    615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

                                                    Download Submit

                                                  • memory/1272-85-0x0000000020010000-0x000000002001B000-memory.dmp

                                                    Filesize

                                                    44KB

                                                    Download

                                                  • memory/1272-82-0x0000000020010000-0x000000002001B000-memory.dmp

                                                    Filesize

                                                    44KB

                                                    Download

                                                  • memory/1536-80-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/1536-71-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/1536-75-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/1536-192-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/2000-63-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  • memory/2000-54-0x0000000075501000-0x0000000075503000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download

                                                  • memory/2000-58-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  • memory/2000-57-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  • memory/2044-79-0x0000000000400000-0x0000000000442000-memory.dmp

                                                    Filesize

                                                    264KB

                                                    Download

                                                  • memory/2044-191-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  We care about your privacy.

                                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.