Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

deeef3093a...c5.exe

windows7-x64

10

deeef3093a...c5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 07:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe

  • Size

    123KB

  • MD5

    811407dad7866484579fadb44b4c003a

  • SHA1

    a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

  • SHA256

    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

  • SHA512

    615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

  • SSDEEP

    768:n06R0UtgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9ICW:9R0Zn3Pc0LCH9MtbvabUDzJYWu3B

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:480
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:464
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
          2⤵
            PID:740
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs
            2⤵
              PID:872
              • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                wmiadap.exe /F /T /R
                3⤵
                  PID:836
              • C:\Windows\system32\sppsvc.exe
                C:\Windows\system32\sppsvc.exe
                2⤵
                  PID:1936
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                  2⤵
                    PID:1644
                  • C:\Windows\system32\taskhost.exe
                    "taskhost.exe"
                    2⤵
                      PID:1128
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                      2⤵
                        PID:1084
                      • C:\Windows\System32\spoolsv.exe
                        C:\Windows\System32\spoolsv.exe
                        2⤵
                          PID:936
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k NetworkService
                          2⤵
                            PID:300
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService
                            2⤵
                              PID:824
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                              2⤵
                                PID:792
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                2⤵
                                  PID:660
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch
                                  2⤵
                                    PID:584
                                • C:\Windows\system32\winlogon.exe
                                  winlogon.exe
                                  1⤵
                                    PID:420
                                  • C:\Windows\system32\csrss.exe
                                    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                    1⤵
                                      PID:384
                                    • C:\Windows\system32\wininit.exe
                                      wininit.exe
                                      1⤵
                                        PID:372
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:488
                                        • C:\Windows\system32\csrss.exe
                                          %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                          1⤵
                                            PID:332
                                          • C:\Windows\System32\smss.exe
                                            \SystemRoot\System32\smss.exe
                                            1⤵
                                              PID:260
                                            • C:\Windows\system32\wbem\wmiprvse.exe
                                              C:\Windows\system32\wbem\wmiprvse.exe
                                              1⤵
                                                PID:1908
                                              • C:\Windows\Explorer.EXE
                                                C:\Windows\Explorer.EXE
                                                1⤵
                                                  PID:1224
                                                  • C:\Users\Admin\AppData\Local\Temp\deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe"
                                                    2⤵
                                                    • Loads dropped DLL
                                                    • Drops file in Program Files directory
                                                    • Suspicious use of UnmapMainImage
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:2000
                                                    • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                      3⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of UnmapMainImage
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2044
                                                      • C:\Windows\SysWOW64\svchost.exe
                                                        C:\Windows\system32\svchost.exe
                                                        4⤵
                                                        • Modifies WinLogon for persistence
                                                        • Drops file in System32 directory
                                                        • Drops file in Program Files directory
                                                        PID:1536
                                                      • C:\Windows\SysWOW64\svchost.exe
                                                        C:\Windows\system32\svchost.exe
                                                        4⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:1272
                                                • C:\Windows\system32\Dwm.exe
                                                  "C:\Windows\system32\Dwm.exe"
                                                  1⤵
                                                    PID:1192

                                                  Network

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    811407dad7866484579fadb44b4c003a

                                                    SHA1

                                                    a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

                                                    SHA256

                                                    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

                                                    SHA512

                                                    615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

                                                    Download Submit

                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    811407dad7866484579fadb44b4c003a

                                                    SHA1

                                                    a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

                                                    SHA256

                                                    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

                                                    SHA512

                                                    615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

                                                    Download Submit

                                                  • \Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    811407dad7866484579fadb44b4c003a

                                                    SHA1

                                                    a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

                                                    SHA256

                                                    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

                                                    SHA512

                                                    615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

                                                    Download Submit

                                                  • \Program Files (x86)\Microsoft\WaterMark.exe
                                                    Filesize

                                                    123KB

                                                    MD5

                                                    811407dad7866484579fadb44b4c003a

                                                    SHA1

                                                    a49a315e6d6022d6f1b73fcff3226ebe8c5fc412

                                                    SHA256

                                                    deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5

                                                    SHA512

                                                    615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df

                                                    Download Submit

                                                  • memory/1272-85-0x0000000020010000-0x000000002001B000-memory.dmp

                                                    Filesize

                                                    44KB

                                                    Download

                                                  • memory/1272-82-0x0000000020010000-0x000000002001B000-memory.dmp

                                                    Filesize

                                                    44KB

                                                    Download

                                                  • memory/1536-80-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/1536-71-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/1536-75-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/1536-192-0x0000000020010000-0x0000000020022000-memory.dmp

                                                    Filesize

                                                    72KB

                                                    Download

                                                  • memory/2000-63-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  • memory/2000-54-0x0000000075501000-0x0000000075503000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download

                                                  • memory/2000-58-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  • memory/2000-57-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download

                                                  • memory/2044-79-0x0000000000400000-0x0000000000442000-memory.dmp

                                                    Filesize

                                                    264KB

                                                    Download

                                                  • memory/2044-191-0x0000000000400000-0x0000000000421000-memory.dmp

                                                    Filesize

                                                    132KB

                                                    Download