Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
97s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 23:00
Static task
static1
Behavioral task
behavioral1
Sample
f8def8b24b0be3bbcaa206f280b56721146c5ab08561a8cdffb29c30a30c1773.dll
Resource
win7-20220901-en
General
-
Target
f8def8b24b0be3bbcaa206f280b56721146c5ab08561a8cdffb29c30a30c1773.dll
-
Size
204KB
-
MD5
a16e83a2617be2ff5e86b6b2de237312
-
SHA1
7c7e5ebffa3be85ac226bacb5fbe9cd96426c0cd
-
SHA256
f8def8b24b0be3bbcaa206f280b56721146c5ab08561a8cdffb29c30a30c1773
-
SHA512
35f26cd09f31b788839d431ff951c97f33c92532015d5db4cec2a5a5dbbb8374ca957a433802a30265964616104dce2f3b9b0f8716fc9cf9c348e615561f2c92
-
SSDEEP
3072:tZmu9K33WSwdJ/tILtAPrL+oxdvKjD4NCgKZrYBcYznTbKXa:t8b33QqUrSJDZrY+YTTbKXa
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4920 rundll32mgr.exe 4908 WaterMark.exe -
resource yara_rule behavioral2/memory/4920-138-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4920-142-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4920-141-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4920-139-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4920-143-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4920-151-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4908-154-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4908-155-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4908-156-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4908-159-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4908-160-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4908-161-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4908-162-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\px8EC7.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4964 792 WerFault.exe 84 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{218B60A1-5949-11ED-B696-EE6CABA3804C} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4135532607" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374005590" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993749" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993749" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2188FC48-5949-11ED-B696-EE6CABA3804C} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993749" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4135532607" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4144439310" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe 4908 WaterMark.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2584 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4908 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4524 iexplore.exe 2584 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2584 iexplore.exe 2584 iexplore.exe 4524 iexplore.exe 4524 iexplore.exe 4444 IEXPLORE.EXE 4444 IEXPLORE.EXE 4220 IEXPLORE.EXE 4220 IEXPLORE.EXE 4444 IEXPLORE.EXE 4444 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4920 rundll32mgr.exe 4908 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2000 wrote to memory of 3708 2000 rundll32.exe 81 PID 2000 wrote to memory of 3708 2000 rundll32.exe 81 PID 2000 wrote to memory of 3708 2000 rundll32.exe 81 PID 3708 wrote to memory of 4920 3708 rundll32.exe 82 PID 3708 wrote to memory of 4920 3708 rundll32.exe 82 PID 3708 wrote to memory of 4920 3708 rundll32.exe 82 PID 4920 wrote to memory of 4908 4920 rundll32mgr.exe 83 PID 4920 wrote to memory of 4908 4920 rundll32mgr.exe 83 PID 4920 wrote to memory of 4908 4920 rundll32mgr.exe 83 PID 4908 wrote to memory of 792 4908 WaterMark.exe 84 PID 4908 wrote to memory of 792 4908 WaterMark.exe 84 PID 4908 wrote to memory of 792 4908 WaterMark.exe 84 PID 4908 wrote to memory of 792 4908 WaterMark.exe 84 PID 4908 wrote to memory of 792 4908 WaterMark.exe 84 PID 4908 wrote to memory of 792 4908 WaterMark.exe 84 PID 4908 wrote to memory of 792 4908 WaterMark.exe 84 PID 4908 wrote to memory of 792 4908 WaterMark.exe 84 PID 4908 wrote to memory of 792 4908 WaterMark.exe 84 PID 4908 wrote to memory of 4524 4908 WaterMark.exe 87 PID 4908 wrote to memory of 4524 4908 WaterMark.exe 87 PID 4908 wrote to memory of 2584 4908 WaterMark.exe 88 PID 4908 wrote to memory of 2584 4908 WaterMark.exe 88 PID 2584 wrote to memory of 4444 2584 iexplore.exe 90 PID 2584 wrote to memory of 4444 2584 iexplore.exe 90 PID 2584 wrote to memory of 4444 2584 iexplore.exe 90 PID 4524 wrote to memory of 4220 4524 iexplore.exe 89 PID 4524 wrote to memory of 4220 4524 iexplore.exe 89 PID 4524 wrote to memory of 4220 4524 iexplore.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f8def8b24b0be3bbcaa206f280b56721146c5ab08561a8cdffb29c30a30c1773.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f8def8b24b0be3bbcaa206f280b56721146c5ab08561a8cdffb29c30a30c1773.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 2046⤵
- Program crash
PID:4964
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4524 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4220
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4444
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 792 -ip 7921⤵PID:4448
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD50e0f0ae845d89c22bb6385f64a6b85fd
SHA10f3f1e7f18ab81572c5ce938d3880d4a5d7100ac
SHA2565a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd
SHA512baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350
-
Filesize
59KB
MD50e0f0ae845d89c22bb6385f64a6b85fd
SHA10f3f1e7f18ab81572c5ce938d3880d4a5d7100ac
SHA2565a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd
SHA512baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5deabbdcb221537d48aed54816739f367
SHA19ce0f0d21d9bd08823732047e19edbbd909396bc
SHA256494de69d83714780f68a1e6871716f3a4a10835e90b4f96e48610c3e8f39e9cf
SHA51295a80c34ddb83e74e51e5d0884dc7433de78b956db8fb2b1fb54e0f158283991edacafd3e7653161767a69f25f9cf537cc1a654d20e3f27bbc54588b3b4bf5e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5b2e6572cce5c74a1aa710a97bf44b159
SHA1d4e70fec042752768bcac06e74bfb26b24e22e65
SHA256c73c8f33ef1a6e673fa6a41d4c6018bb530c11e16c2c865221255a2cdc7732fe
SHA512dc8645879fad3a34ebc8638e37eaf47ea33a06d5935d286c0448cabc0dfbea4bb541523cb98e56ddbdad14d4315253bcb6510b5ce98a09220d75e322a6d3d574
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2188FC48-5949-11ED-B696-EE6CABA3804C}.dat
Filesize5KB
MD53159cd3c2f1ee733c9da098cd9783147
SHA1fb39add780f4c74b370d6bf65c5b7469f0360758
SHA256978d55b5d38bf4eb4642e236ac6abf424e9616fa352c6607c3271cc1cc31ed1e
SHA512af20638711e18df861e3f5efda20571ed8ff7d662d46cd79fb18cc9b5b836c35f4f2e1b51b3a88f05253851f2912dc3936e1d6b223e7c81d510f6234680ea23c
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{218B60A1-5949-11ED-B696-EE6CABA3804C}.dat
Filesize5KB
MD51d5de58cdce72dc6b0e3645e0f6840c3
SHA15894b83ce65d1dd48803245475b0d9ecd25ea9e6
SHA256cf6ab39e18162ace2088297a61a43f4ca3e1f6f1e5091ea5024409d5761c28ff
SHA5125c8db4b5645bbc4302068e3cfc33a2e957a08e99c2537204ddf5f6b41243744edf04c31b0cb5ab5b8075c5013350b12ce4df2b97485c4c0419db3179d1ee7906
-
Filesize
59KB
MD50e0f0ae845d89c22bb6385f64a6b85fd
SHA10f3f1e7f18ab81572c5ce938d3880d4a5d7100ac
SHA2565a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd
SHA512baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350
-
Filesize
59KB
MD50e0f0ae845d89c22bb6385f64a6b85fd
SHA10f3f1e7f18ab81572c5ce938d3880d4a5d7100ac
SHA2565a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd
SHA512baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350