Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21/10/2022, 02:16
Static task
static1
Behavioral task
behavioral1
Sample
c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe
Resource
win10v2004-20220812-en
General
-
Target
c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe
-
Size
332KB
-
MD5
5482037ed4aa90a79efafd52f1a43fff
-
SHA1
f41242a8494a0f678b826096fafa1c4c431b69b8
-
SHA256
c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9
-
SHA512
77a3cbe7b18594dc59adaf9f2dbd439440d2deaf0cf553334690168f3213174cea0042710581224ec7414300366242e45e67f52bc167dd77c1bb3571da4191e1
-
SSDEEP
3072:Gaxvos7J0wbx24Pu++slAhKAFRn1gs4vJi+DhVrfQLDMVKuVbewXRP5/tz:GahlKL+Ah3FV1bcJzDHfeDnuVbewl5/1
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\lsass.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe" c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCCF9FFA-BBDB-BAAF-D84B-CCFCEEBDE1CA} c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCCF9FFA-BBDB-BAAF-D84B-CCFCEEBDE1CA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe" c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{BCCF9FFA-BBDB-BAAF-D84B-CCFCEEBDE1CA} c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components\{BCCF9FFA-BBDB-BAAF-D84B-CCFCEEBDE1CA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe" c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe" c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe" c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1032 reg.exe 1164 reg.exe 1972 reg.exe 1700 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeCreateTokenPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeAssignPrimaryTokenPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeLockMemoryPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeIncreaseQuotaPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeMachineAccountPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeTcbPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeSecurityPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeTakeOwnershipPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeLoadDriverPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeSystemProfilePrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeSystemtimePrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeProfSingleProcessPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeIncBasePriorityPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeCreatePagefilePrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeCreatePermanentPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeBackupPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeRestorePrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeShutdownPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeDebugPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeAuditPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeSystemEnvironmentPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeChangeNotifyPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeRemoteShutdownPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeUndockPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeSyncAgentPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeEnableDelegationPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeManageVolumePrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeImpersonatePrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeCreateGlobalPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: 31 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: 32 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: 33 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: 34 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: 35 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe Token: SeDebugPrivilege 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 768 wrote to memory of 1896 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 27 PID 768 wrote to memory of 1896 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 27 PID 768 wrote to memory of 1896 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 27 PID 768 wrote to memory of 1896 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 27 PID 768 wrote to memory of 2044 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 28 PID 768 wrote to memory of 2044 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 28 PID 768 wrote to memory of 2044 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 28 PID 768 wrote to memory of 2044 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 28 PID 768 wrote to memory of 1712 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 30 PID 768 wrote to memory of 1712 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 30 PID 768 wrote to memory of 1712 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 30 PID 768 wrote to memory of 1712 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 30 PID 768 wrote to memory of 2032 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 32 PID 768 wrote to memory of 2032 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 32 PID 768 wrote to memory of 2032 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 32 PID 768 wrote to memory of 2032 768 c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe 32 PID 2044 wrote to memory of 1972 2044 cmd.exe 36 PID 2044 wrote to memory of 1972 2044 cmd.exe 36 PID 2044 wrote to memory of 1972 2044 cmd.exe 36 PID 2044 wrote to memory of 1972 2044 cmd.exe 36 PID 1896 wrote to memory of 1164 1896 cmd.exe 35 PID 1896 wrote to memory of 1164 1896 cmd.exe 35 PID 1896 wrote to memory of 1164 1896 cmd.exe 35 PID 1896 wrote to memory of 1164 1896 cmd.exe 35 PID 1712 wrote to memory of 1700 1712 cmd.exe 37 PID 1712 wrote to memory of 1700 1712 cmd.exe 37 PID 1712 wrote to memory of 1700 1712 cmd.exe 37 PID 1712 wrote to memory of 1700 1712 cmd.exe 37 PID 2032 wrote to memory of 1032 2032 cmd.exe 38 PID 2032 wrote to memory of 1032 2032 cmd.exe 38 PID 2032 wrote to memory of 1032 2032 cmd.exe 38 PID 2032 wrote to memory of 1032 2032 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe"C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe"1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c38440c7a816994e2b975db8df23c1db1e2ef3085356256fa8bea22ae7e640b9.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsass.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsass.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lsass.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lsass.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
PID:1032
-
-