Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
20/10/2022, 12:41
General
-
Target
1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be.dll
-
Size
454KB
-
MD5
a003aa5c85856f5d4f5ab277358ea710
-
SHA1
6845fd9cdd1d20c94918aabe87942638b7797762
-
SHA256
1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be
-
SHA512
c469cdbf3ac71f0dbad89dd5c50822aa82ecd83307b0e8eef0e0d74d056119a223336f75eb192abe4b8a91916bc2beb045376a317336bd270abf7ffbe20e28a7
-
SSDEEP
12288:7xGCOXzURlbDC9K69u2m+SqOWcsQQKiY4leDDGoggH/VREG6j4Gm01b8nPCFZyQ9:twXz2aFZ3Tf
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 8 IoCs
-
Drops file in System32 directory 4 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of UnmapMainImage 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1802748d085c9502a4fc7cbdd23e0c9ada2a8d841a4687b8bef6ff6ceb2409be.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
241KB
MD5ccc1590163f5d7ecab7056a44e9db124
SHA11dcb42c050ee4bc9eb9a4576e7e74958f3b3a701
SHA256f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f
SHA5125bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0
-
Filesize
241KB
MD5ccc1590163f5d7ecab7056a44e9db124
SHA11dcb42c050ee4bc9eb9a4576e7e74958f3b3a701
SHA256f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f
SHA5125bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
241KB
MD5ccc1590163f5d7ecab7056a44e9db124
SHA11dcb42c050ee4bc9eb9a4576e7e74958f3b3a701
SHA256f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f
SHA5125bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0
-
Filesize
241KB
MD5ccc1590163f5d7ecab7056a44e9db124
SHA11dcb42c050ee4bc9eb9a4576e7e74958f3b3a701
SHA256f26f3a906655f0f2ecf28e4f1ace3ed923ca3c84e58d07632c2533eb2bebca1f
SHA5125bb0db687caef40a1a918c3e859dffd314de7877827261c6957ea2f5157b8b5d7802938daa26e69d24e0725d3b4f2a145c8e4c315be6a60a611aa0cc5a41afe0
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
119KB
MD5a6aa2de4617939ba1d45caf06ee26101
SHA137855db4d68303311050208ad699825466efec12
SHA25653aa56335d1c3cc1c4b0db3688c3250c4ded0611ce14bbd165544761c4a195b6
SHA512f5238d39b66af7234c6b82e5d0bd2225f329e76e6e564712beba7c7b629a19006329e764b0795d5aef7ad689ecc48096591c79996bf0991efa57294d3d29ea71
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
164KB
-
Filesize
132KB
-
Filesize
132KB