Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
188s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 23:38
Behavioral task
behavioral1
Sample
57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe
-
Size
712KB
-
MD5
82df055b503c91ddec6436dc9895a425
-
SHA1
02960207e992f48938182131923f6ea6bf2c4c62
-
SHA256
57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7
-
SHA512
c7c9c038650d48ec3560b2354b0cfb841fa8addffedd086f72a21f09c19943f5469a4a71293d966e31dd49e11ff36565a0db6125bfc5b2d553938a18a483aaea
-
SSDEEP
12288:aDQNFEyqo3PlzYKXpdqUVTaRGisvrkExuIlpjBrHrr0h0f:aDQNqo3PlzNoUVTacbvrkKZ5Hd
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1924-55-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral1/memory/1924-97-0x0000000000400000-0x00000000004EE000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\Q: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\S: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\E: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\F: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\K: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\N: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\O: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\V: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\Z: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\G: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\H: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\J: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\R: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\W: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\L: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\X: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\Y: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\I: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\M: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\T: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened (read-only) \??\U: 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\svchost.vir 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File created \??\c:\windows\SysWOW64\dllhost.vir 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File created \??\c:\windows\SysWOW64\msiexec.vir 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File created \??\c:\windows\SysWOW64\searchindexer.vir 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D5F9FAC5-57DB-471C-A52E-830249CB9212}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D5F9FAC5-57DB-471C-A52E-830249CB9212}.crmlog dllhost.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\ehome\ehsched.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1924 57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe Token: SeRestorePrivilege 1768 msiexec.exe Token: SeTakeOwnershipPrivilege 1768 msiexec.exe Token: SeSecurityPrivilege 1768 msiexec.exe Token: SeManageVolumePrivilege 396 SearchIndexer.exe Token: 33 396 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 396 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1752 SearchProtocolHost.exe 1752 SearchProtocolHost.exe 1752 SearchProtocolHost.exe 1752 SearchProtocolHost.exe 1752 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 396 wrote to memory of 1752 396 SearchIndexer.exe 30 PID 396 wrote to memory of 1752 396 SearchIndexer.exe 30 PID 396 wrote to memory of 1752 396 SearchIndexer.exe 30 PID 396 wrote to memory of 1516 396 SearchIndexer.exe 31 PID 396 wrote to memory of 1516 396 SearchIndexer.exe 31 PID 396 wrote to memory of 1516 396 SearchIndexer.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe"C:\Users\Admin\AppData\Local\Temp\57f62c2bccecd829acb410383d5f560feed10c696ea750899527788d1470b2d7.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:1264
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1752
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵PID:1516
-