Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 18:48
Behavioral task
behavioral1
Sample
508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe
Resource
win10v2004-20220812-en
General
-
Target
508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe
-
Size
636KB
-
MD5
84ed8423ff9a32cb9b9ba39240b909b2
-
SHA1
28fae283a338f1f83408770df2d507a368ffa37e
-
SHA256
508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5
-
SHA512
4a5500ac57d903e65236f7ee447edda7226b10a27ce39dbc3838e928d8beab6ee12a30e46dbfacc52d75e1221c13df7dbce2d5ecd4eea6c92095bb190af9b02b
-
SSDEEP
12288:TpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/zR:1wAcu99lPzvxP+Bsz2XjWTRMQckkIXnd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe -
Executes dropped EXE 1 IoCs
pid Process 1992 winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe -
Loads dropped DLL 4 IoCs
pid Process 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 1992 winupdate.exe 1992 winupdate.exe 1992 winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeSecurityPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeTakeOwnershipPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeLoadDriverPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeSystemProfilePrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeSystemtimePrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeProfSingleProcessPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeIncBasePriorityPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeCreatePagefilePrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeBackupPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeRestorePrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeShutdownPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeDebugPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeSystemEnvironmentPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeChangeNotifyPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeRemoteShutdownPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeUndockPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeManageVolumePrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeImpersonatePrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeCreateGlobalPrivilege 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: 33 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: 34 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: 35 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe Token: SeIncreaseQuotaPrivilege 1992 winupdate.exe Token: SeSecurityPrivilege 1992 winupdate.exe Token: SeTakeOwnershipPrivilege 1992 winupdate.exe Token: SeLoadDriverPrivilege 1992 winupdate.exe Token: SeSystemProfilePrivilege 1992 winupdate.exe Token: SeSystemtimePrivilege 1992 winupdate.exe Token: SeProfSingleProcessPrivilege 1992 winupdate.exe Token: SeIncBasePriorityPrivilege 1992 winupdate.exe Token: SeCreatePagefilePrivilege 1992 winupdate.exe Token: SeBackupPrivilege 1992 winupdate.exe Token: SeRestorePrivilege 1992 winupdate.exe Token: SeShutdownPrivilege 1992 winupdate.exe Token: SeDebugPrivilege 1992 winupdate.exe Token: SeSystemEnvironmentPrivilege 1992 winupdate.exe Token: SeChangeNotifyPrivilege 1992 winupdate.exe Token: SeRemoteShutdownPrivilege 1992 winupdate.exe Token: SeUndockPrivilege 1992 winupdate.exe Token: SeManageVolumePrivilege 1992 winupdate.exe Token: SeImpersonatePrivilege 1992 winupdate.exe Token: SeCreateGlobalPrivilege 1992 winupdate.exe Token: 33 1992 winupdate.exe Token: 34 1992 winupdate.exe Token: 35 1992 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1992 winupdate.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 784 wrote to memory of 1984 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 26 PID 784 wrote to memory of 1984 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 26 PID 784 wrote to memory of 1984 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 26 PID 784 wrote to memory of 1984 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 26 PID 784 wrote to memory of 1992 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 27 PID 784 wrote to memory of 1992 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 27 PID 784 wrote to memory of 1992 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 27 PID 784 wrote to memory of 1992 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 27 PID 784 wrote to memory of 1992 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 27 PID 784 wrote to memory of 1992 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 27 PID 784 wrote to memory of 1992 784 508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe"C:\Users\Admin\AppData\Local\Temp\508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵PID:1984
-
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
636KB
MD584ed8423ff9a32cb9b9ba39240b909b2
SHA128fae283a338f1f83408770df2d507a368ffa37e
SHA256508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5
SHA5124a5500ac57d903e65236f7ee447edda7226b10a27ce39dbc3838e928d8beab6ee12a30e46dbfacc52d75e1221c13df7dbce2d5ecd4eea6c92095bb190af9b02b
-
Filesize
636KB
MD584ed8423ff9a32cb9b9ba39240b909b2
SHA128fae283a338f1f83408770df2d507a368ffa37e
SHA256508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5
SHA5124a5500ac57d903e65236f7ee447edda7226b10a27ce39dbc3838e928d8beab6ee12a30e46dbfacc52d75e1221c13df7dbce2d5ecd4eea6c92095bb190af9b02b
-
Filesize
636KB
MD584ed8423ff9a32cb9b9ba39240b909b2
SHA128fae283a338f1f83408770df2d507a368ffa37e
SHA256508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5
SHA5124a5500ac57d903e65236f7ee447edda7226b10a27ce39dbc3838e928d8beab6ee12a30e46dbfacc52d75e1221c13df7dbce2d5ecd4eea6c92095bb190af9b02b
-
Filesize
636KB
MD584ed8423ff9a32cb9b9ba39240b909b2
SHA128fae283a338f1f83408770df2d507a368ffa37e
SHA256508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5
SHA5124a5500ac57d903e65236f7ee447edda7226b10a27ce39dbc3838e928d8beab6ee12a30e46dbfacc52d75e1221c13df7dbce2d5ecd4eea6c92095bb190af9b02b
-
Filesize
636KB
MD584ed8423ff9a32cb9b9ba39240b909b2
SHA128fae283a338f1f83408770df2d507a368ffa37e
SHA256508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5
SHA5124a5500ac57d903e65236f7ee447edda7226b10a27ce39dbc3838e928d8beab6ee12a30e46dbfacc52d75e1221c13df7dbce2d5ecd4eea6c92095bb190af9b02b
-
Filesize
636KB
MD584ed8423ff9a32cb9b9ba39240b909b2
SHA128fae283a338f1f83408770df2d507a368ffa37e
SHA256508f5f9478866d04c03bdaf4a6038816bf0c250a23df64bdbaa5d27da9fed2b5
SHA5124a5500ac57d903e65236f7ee447edda7226b10a27ce39dbc3838e928d8beab6ee12a30e46dbfacc52d75e1221c13df7dbce2d5ecd4eea6c92095bb190af9b02b