Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 07:58 UTC
Static task
static1
Behavioral task
behavioral1
Sample
deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe
Resource
win10v2004-20220901-en
General
-
Target
deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe
-
Size
123KB
-
MD5
811407dad7866484579fadb44b4c003a
-
SHA1
a49a315e6d6022d6f1b73fcff3226ebe8c5fc412
-
SHA256
deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5
-
SHA512
615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df
-
SSDEEP
768:n06R0UtgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9ICW:9R0Zn3Pc0LCH9MtbvabUDzJYWu3B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2044 WaterMark.exe -
resource yara_rule behavioral1/memory/2000-57-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2000-58-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2000-63-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2044-79-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2044-191-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 2000 deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe 2000 deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMark.exe deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxEA31.tmp deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2044 WaterMark.exe 2044 WaterMark.exe 2044 WaterMark.exe 2044 WaterMark.exe 2044 WaterMark.exe 2044 WaterMark.exe 2044 WaterMark.exe 2044 WaterMark.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2044 WaterMark.exe Token: SeDebugPrivilege 1272 svchost.exe Token: SeDebugPrivilege 2044 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2000 deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe 2044 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2044 2000 deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe 28 PID 2000 wrote to memory of 2044 2000 deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe 28 PID 2000 wrote to memory of 2044 2000 deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe 28 PID 2000 wrote to memory of 2044 2000 deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe 28 PID 2044 wrote to memory of 1536 2044 WaterMark.exe 29 PID 2044 wrote to memory of 1536 2044 WaterMark.exe 29 PID 2044 wrote to memory of 1536 2044 WaterMark.exe 29 PID 2044 wrote to memory of 1536 2044 WaterMark.exe 29 PID 2044 wrote to memory of 1536 2044 WaterMark.exe 29 PID 2044 wrote to memory of 1536 2044 WaterMark.exe 29 PID 2044 wrote to memory of 1536 2044 WaterMark.exe 29 PID 2044 wrote to memory of 1536 2044 WaterMark.exe 29 PID 2044 wrote to memory of 1536 2044 WaterMark.exe 29 PID 2044 wrote to memory of 1536 2044 WaterMark.exe 29 PID 2044 wrote to memory of 1272 2044 WaterMark.exe 30 PID 2044 wrote to memory of 1272 2044 WaterMark.exe 30 PID 2044 wrote to memory of 1272 2044 WaterMark.exe 30 PID 2044 wrote to memory of 1272 2044 WaterMark.exe 30 PID 2044 wrote to memory of 1272 2044 WaterMark.exe 30 PID 2044 wrote to memory of 1272 2044 WaterMark.exe 30 PID 2044 wrote to memory of 1272 2044 WaterMark.exe 30 PID 2044 wrote to memory of 1272 2044 WaterMark.exe 30 PID 2044 wrote to memory of 1272 2044 WaterMark.exe 30 PID 2044 wrote to memory of 1272 2044 WaterMark.exe 30 PID 1272 wrote to memory of 260 1272 svchost.exe 7 PID 1272 wrote to memory of 260 1272 svchost.exe 7 PID 1272 wrote to memory of 260 1272 svchost.exe 7 PID 1272 wrote to memory of 260 1272 svchost.exe 7 PID 1272 wrote to memory of 260 1272 svchost.exe 7 PID 1272 wrote to memory of 332 1272 svchost.exe 6 PID 1272 wrote to memory of 332 1272 svchost.exe 6 PID 1272 wrote to memory of 332 1272 svchost.exe 6 PID 1272 wrote to memory of 332 1272 svchost.exe 6 PID 1272 wrote to memory of 332 1272 svchost.exe 6 PID 1272 wrote to memory of 372 1272 svchost.exe 5 PID 1272 wrote to memory of 372 1272 svchost.exe 5 PID 1272 wrote to memory of 372 1272 svchost.exe 5 PID 1272 wrote to memory of 372 1272 svchost.exe 5 PID 1272 wrote to memory of 372 1272 svchost.exe 5 PID 1272 wrote to memory of 384 1272 svchost.exe 4 PID 1272 wrote to memory of 384 1272 svchost.exe 4 PID 1272 wrote to memory of 384 1272 svchost.exe 4 PID 1272 wrote to memory of 384 1272 svchost.exe 4 PID 1272 wrote to memory of 384 1272 svchost.exe 4 PID 1272 wrote to memory of 420 1272 svchost.exe 3 PID 1272 wrote to memory of 420 1272 svchost.exe 3 PID 1272 wrote to memory of 420 1272 svchost.exe 3 PID 1272 wrote to memory of 420 1272 svchost.exe 3 PID 1272 wrote to memory of 420 1272 svchost.exe 3 PID 1272 wrote to memory of 464 1272 svchost.exe 2 PID 1272 wrote to memory of 464 1272 svchost.exe 2 PID 1272 wrote to memory of 464 1272 svchost.exe 2 PID 1272 wrote to memory of 464 1272 svchost.exe 2 PID 1272 wrote to memory of 464 1272 svchost.exe 2 PID 1272 wrote to memory of 480 1272 svchost.exe 1 PID 1272 wrote to memory of 480 1272 svchost.exe 1 PID 1272 wrote to memory of 480 1272 svchost.exe 1 PID 1272 wrote to memory of 480 1272 svchost.exe 1 PID 1272 wrote to memory of 480 1272 svchost.exe 1 PID 1272 wrote to memory of 488 1272 svchost.exe 8 PID 1272 wrote to memory of 488 1272 svchost.exe 8 PID 1272 wrote to memory of 488 1272 svchost.exe 8 PID 1272 wrote to memory of 488 1272 svchost.exe 8 PID 1272 wrote to memory of 488 1272 svchost.exe 8
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:480
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:464
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:740
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:872
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵PID:836
-
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1936
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1644
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1128
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1084
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:936
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:300
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:824
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:792
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:660
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:584
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵PID:1908
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe"C:\Users\Admin\AppData\Local\Temp\deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1536
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1192
Network
-
Remote address:8.8.8.8:53Requestgoogle.comIN AResponsegoogle.comIN A142.250.179.142
-
Remote address:8.8.8.8:53Requestrterybrstutnrsbberve.comIN AResponserterybrstutnrsbberve.comIN A204.95.99.221
-
Remote address:8.8.8.8:53Requesterwbtkidthetcwerc.comIN AResponseerwbtkidthetcwerc.comIN A204.95.99.221
-
Remote address:8.8.8.8:53Requestrvbwtbeitwjeitv.comIN AResponservbwtbeitwjeitv.comIN A204.95.99.221
-
152 B 3
-
98 B 52 B 2 1
-
152 B 3
-
558 B 132 B 12 3
-
1.2kB 132 B 14 3
-
558 B 132 B 12 3
-
978 B 132 B 12 3
-
558 B 132 B 12 3
-
978 B 132 B 12 3
-
98 B 52 B 2 1
-
56 B 72 B 1 1
DNS Request
google.com
DNS Response
142.250.179.142
-
70 B 86 B 1 1
DNS Request
rterybrstutnrsbberve.com
DNS Response
204.95.99.221
-
67 B 83 B 1 1
DNS Request
erwbtkidthetcwerc.com
DNS Response
204.95.99.221
-
65 B 81 B 1 1
DNS Request
rvbwtbeitwjeitv.com
DNS Response
204.95.99.221
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123KB
MD5811407dad7866484579fadb44b4c003a
SHA1a49a315e6d6022d6f1b73fcff3226ebe8c5fc412
SHA256deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5
SHA512615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df
-
Filesize
123KB
MD5811407dad7866484579fadb44b4c003a
SHA1a49a315e6d6022d6f1b73fcff3226ebe8c5fc412
SHA256deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5
SHA512615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df
-
Filesize
123KB
MD5811407dad7866484579fadb44b4c003a
SHA1a49a315e6d6022d6f1b73fcff3226ebe8c5fc412
SHA256deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5
SHA512615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df
-
Filesize
123KB
MD5811407dad7866484579fadb44b4c003a
SHA1a49a315e6d6022d6f1b73fcff3226ebe8c5fc412
SHA256deeef3093ad444bbd34dd06ec89923a569c008111bc2905fea1cb8aca807e3c5
SHA512615d99de87a0c391472e32e7c0e1788309dc0ed193cd0d356decff13a56ad547d4854e14f16f648ee548061fdaf1263465af3a6d03374e48c0eca2088b75e5df