Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 05:23
Static task
static1
Behavioral task
behavioral1
Sample
c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe
Resource
win10v2004-20220812-en
General
-
Target
c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe
-
Size
288KB
-
MD5
839b92b07934e02f8ffdc41aad980a79
-
SHA1
a252419e6e78fa327e7dcae19dc7a75b094357d0
-
SHA256
c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c
-
SHA512
976984fa798f4ac5cd41d197cc8ffd82f9c2105cb9abeda88ccb1474227d800f0fb1d11893d82e7c729cadb9175318c3df3c1dc301dc606bee0533ad9a8eecf6
-
SSDEEP
3072:JvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6ungPKvLP:JvEN2U+T6i5LirrllHy4HUcMQY6lKLP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1120 explorer.exe 1292 spoolsv.exe 1704 svchost.exe 1808 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Loads dropped DLL 8 IoCs
pid Process 1988 c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe 1988 c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe 1120 explorer.exe 1120 explorer.exe 1292 spoolsv.exe 1292 spoolsv.exe 1704 svchost.exe 1704 svchost.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1988 c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1704 svchost.exe 1704 svchost.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1120 explorer.exe 1704 svchost.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1120 explorer.exe 1704 svchost.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1704 svchost.exe 1120 explorer.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1704 svchost.exe 1120 explorer.exe 1120 explorer.exe 1704 svchost.exe 1704 svchost.exe 1120 explorer.exe 1120 explorer.exe 1704 svchost.exe 1704 svchost.exe 1120 explorer.exe 1120 explorer.exe 1704 svchost.exe 1120 explorer.exe 1704 svchost.exe 1704 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1120 explorer.exe 1704 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1988 c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe 1988 c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe 1120 explorer.exe 1120 explorer.exe 1292 spoolsv.exe 1292 spoolsv.exe 1704 svchost.exe 1704 svchost.exe 1808 spoolsv.exe 1808 spoolsv.exe 1120 explorer.exe 1120 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1120 1988 c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe 27 PID 1988 wrote to memory of 1120 1988 c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe 27 PID 1988 wrote to memory of 1120 1988 c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe 27 PID 1988 wrote to memory of 1120 1988 c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe 27 PID 1120 wrote to memory of 1292 1120 explorer.exe 28 PID 1120 wrote to memory of 1292 1120 explorer.exe 28 PID 1120 wrote to memory of 1292 1120 explorer.exe 28 PID 1120 wrote to memory of 1292 1120 explorer.exe 28 PID 1292 wrote to memory of 1704 1292 spoolsv.exe 29 PID 1292 wrote to memory of 1704 1292 spoolsv.exe 29 PID 1292 wrote to memory of 1704 1292 spoolsv.exe 29 PID 1292 wrote to memory of 1704 1292 spoolsv.exe 29 PID 1704 wrote to memory of 1808 1704 svchost.exe 30 PID 1704 wrote to memory of 1808 1704 svchost.exe 30 PID 1704 wrote to memory of 1808 1704 svchost.exe 30 PID 1704 wrote to memory of 1808 1704 svchost.exe 30 PID 1704 wrote to memory of 728 1704 svchost.exe 31 PID 1704 wrote to memory of 728 1704 svchost.exe 31 PID 1704 wrote to memory of 728 1704 svchost.exe 31 PID 1704 wrote to memory of 728 1704 svchost.exe 31 PID 1704 wrote to memory of 1924 1704 svchost.exe 33 PID 1704 wrote to memory of 1924 1704 svchost.exe 33 PID 1704 wrote to memory of 1924 1704 svchost.exe 33 PID 1704 wrote to memory of 1924 1704 svchost.exe 33 PID 1704 wrote to memory of 1536 1704 svchost.exe 35 PID 1704 wrote to memory of 1536 1704 svchost.exe 35 PID 1704 wrote to memory of 1536 1704 svchost.exe 35 PID 1704 wrote to memory of 1536 1704 svchost.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe"C:\Users\Admin\AppData\Local\Temp\c54917d0c61bbbf56fb53a698f45f13f8884f9391b357030a86775e49455385c.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1808
-
-
C:\Windows\SysWOW64\at.exeat 17:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:728
-
-
C:\Windows\SysWOW64\at.exeat 17:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1924
-
-
C:\Windows\SysWOW64\at.exeat 17:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1536
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD5d24d566b6f8a1ec7b182a7aa04f2e153
SHA10e40b334717f859b9323331e515246c550489490
SHA25613263faffa8db2d0dbcdb2d744aadf69cb3b871274a55b9910ffff6c0b3e681f
SHA512c11838c59c3f663db37830a3acde2b2b7a40eb3dbc813a1a700342c3ea985fb53b9daf3dec9c48bdc84a7a8cb8acb16afe462bd7e5fac1f6b2b8f9c0431d9947
-
Filesize
287KB
MD5a723a1ed6ca62d9bdad16aed8560dbf1
SHA1057471ca4fd42f2704d0cbfa58c4c027a5507a35
SHA2563cb66096e9da958e97506b143b3459ba79de3cbf8a73abef86ccc720bfe55cc7
SHA512792e4ec0c1f431b25087de82b544b198b3b78701406be2a558368bb0f293dd0bfac04d13990e024eae9ae9e8cdbca044afe23339fcef25f64cfd4462d61c95b8
-
Filesize
287KB
MD53644419746947bf43e72474a6819314c
SHA1bdd563d0d94f1fd1fa33bdf0589c2f8873e29001
SHA256ac1e7ffd82df7a2ff6bce16c226e9686620425ea54091f548bb004fd115d6790
SHA512a3a0e9798cc8b679c479444df854a741974ec3df95059e50157c9593c317adc3350b1653a480059b81f426ec2835341b854fe23ff90da63bbda8b8ed782fdaa8
-
Filesize
287KB
MD53644419746947bf43e72474a6819314c
SHA1bdd563d0d94f1fd1fa33bdf0589c2f8873e29001
SHA256ac1e7ffd82df7a2ff6bce16c226e9686620425ea54091f548bb004fd115d6790
SHA512a3a0e9798cc8b679c479444df854a741974ec3df95059e50157c9593c317adc3350b1653a480059b81f426ec2835341b854fe23ff90da63bbda8b8ed782fdaa8
-
Filesize
287KB
MD55cf3411189ef119f5391a1377d390981
SHA107ab0d4ff69ef4a2373cdbfd17485fbe46de2b1b
SHA256eb715bfa26d2cfed53cc77525b5484e52480b3ac7cacddfefcd1a612d8218785
SHA512ad3e1df49f510b735fd9c679c6eac08b4cded02f4df74abeb130bb565f164dc5f99d45dde6938f36bf7a72b41f8ab27bb0226122bebbedc587d474758d019f8e
-
Filesize
287KB
MD5a723a1ed6ca62d9bdad16aed8560dbf1
SHA1057471ca4fd42f2704d0cbfa58c4c027a5507a35
SHA2563cb66096e9da958e97506b143b3459ba79de3cbf8a73abef86ccc720bfe55cc7
SHA512792e4ec0c1f431b25087de82b544b198b3b78701406be2a558368bb0f293dd0bfac04d13990e024eae9ae9e8cdbca044afe23339fcef25f64cfd4462d61c95b8
-
Filesize
287KB
MD53644419746947bf43e72474a6819314c
SHA1bdd563d0d94f1fd1fa33bdf0589c2f8873e29001
SHA256ac1e7ffd82df7a2ff6bce16c226e9686620425ea54091f548bb004fd115d6790
SHA512a3a0e9798cc8b679c479444df854a741974ec3df95059e50157c9593c317adc3350b1653a480059b81f426ec2835341b854fe23ff90da63bbda8b8ed782fdaa8
-
Filesize
287KB
MD55cf3411189ef119f5391a1377d390981
SHA107ab0d4ff69ef4a2373cdbfd17485fbe46de2b1b
SHA256eb715bfa26d2cfed53cc77525b5484e52480b3ac7cacddfefcd1a612d8218785
SHA512ad3e1df49f510b735fd9c679c6eac08b4cded02f4df74abeb130bb565f164dc5f99d45dde6938f36bf7a72b41f8ab27bb0226122bebbedc587d474758d019f8e
-
Filesize
287KB
MD5a723a1ed6ca62d9bdad16aed8560dbf1
SHA1057471ca4fd42f2704d0cbfa58c4c027a5507a35
SHA2563cb66096e9da958e97506b143b3459ba79de3cbf8a73abef86ccc720bfe55cc7
SHA512792e4ec0c1f431b25087de82b544b198b3b78701406be2a558368bb0f293dd0bfac04d13990e024eae9ae9e8cdbca044afe23339fcef25f64cfd4462d61c95b8
-
Filesize
287KB
MD5a723a1ed6ca62d9bdad16aed8560dbf1
SHA1057471ca4fd42f2704d0cbfa58c4c027a5507a35
SHA2563cb66096e9da958e97506b143b3459ba79de3cbf8a73abef86ccc720bfe55cc7
SHA512792e4ec0c1f431b25087de82b544b198b3b78701406be2a558368bb0f293dd0bfac04d13990e024eae9ae9e8cdbca044afe23339fcef25f64cfd4462d61c95b8
-
Filesize
287KB
MD53644419746947bf43e72474a6819314c
SHA1bdd563d0d94f1fd1fa33bdf0589c2f8873e29001
SHA256ac1e7ffd82df7a2ff6bce16c226e9686620425ea54091f548bb004fd115d6790
SHA512a3a0e9798cc8b679c479444df854a741974ec3df95059e50157c9593c317adc3350b1653a480059b81f426ec2835341b854fe23ff90da63bbda8b8ed782fdaa8
-
Filesize
287KB
MD53644419746947bf43e72474a6819314c
SHA1bdd563d0d94f1fd1fa33bdf0589c2f8873e29001
SHA256ac1e7ffd82df7a2ff6bce16c226e9686620425ea54091f548bb004fd115d6790
SHA512a3a0e9798cc8b679c479444df854a741974ec3df95059e50157c9593c317adc3350b1653a480059b81f426ec2835341b854fe23ff90da63bbda8b8ed782fdaa8
-
Filesize
287KB
MD53644419746947bf43e72474a6819314c
SHA1bdd563d0d94f1fd1fa33bdf0589c2f8873e29001
SHA256ac1e7ffd82df7a2ff6bce16c226e9686620425ea54091f548bb004fd115d6790
SHA512a3a0e9798cc8b679c479444df854a741974ec3df95059e50157c9593c317adc3350b1653a480059b81f426ec2835341b854fe23ff90da63bbda8b8ed782fdaa8
-
Filesize
287KB
MD53644419746947bf43e72474a6819314c
SHA1bdd563d0d94f1fd1fa33bdf0589c2f8873e29001
SHA256ac1e7ffd82df7a2ff6bce16c226e9686620425ea54091f548bb004fd115d6790
SHA512a3a0e9798cc8b679c479444df854a741974ec3df95059e50157c9593c317adc3350b1653a480059b81f426ec2835341b854fe23ff90da63bbda8b8ed782fdaa8
-
Filesize
287KB
MD55cf3411189ef119f5391a1377d390981
SHA107ab0d4ff69ef4a2373cdbfd17485fbe46de2b1b
SHA256eb715bfa26d2cfed53cc77525b5484e52480b3ac7cacddfefcd1a612d8218785
SHA512ad3e1df49f510b735fd9c679c6eac08b4cded02f4df74abeb130bb565f164dc5f99d45dde6938f36bf7a72b41f8ab27bb0226122bebbedc587d474758d019f8e
-
Filesize
287KB
MD55cf3411189ef119f5391a1377d390981
SHA107ab0d4ff69ef4a2373cdbfd17485fbe46de2b1b
SHA256eb715bfa26d2cfed53cc77525b5484e52480b3ac7cacddfefcd1a612d8218785
SHA512ad3e1df49f510b735fd9c679c6eac08b4cded02f4df74abeb130bb565f164dc5f99d45dde6938f36bf7a72b41f8ab27bb0226122bebbedc587d474758d019f8e