Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 04:19
Behavioral task
behavioral1
Sample
2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Resource
win7-20220812-en
windows7-x64
13 signatures
150 seconds
General
-
Target
2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
-
Size
350KB
-
MD5
13797d259eae7789cb3c0284f0260b10
-
SHA1
bfca5302ac52dbec668392e3572f06ca66b5e9ab
-
SHA256
2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296
-
SHA512
0bc3d206fb02eb7da603457ceff2f5855aa2d88bfddb93ccd4320095b0b07644cb75dd561a82554722266f0b4a3b9c4971eaa459957ba0302237ebef5d0e5a54
-
SSDEEP
6144:9yXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:93BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\0a3c40da.sys 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe File created C:\Windows\SysWOW64\drivers\7697755c.sys 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 584 takeown.exe 1344 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\7697755c\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\7697755c.sys" 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\0a3c40da\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\0a3c40da.sys" 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe -
resource yara_rule behavioral1/memory/1836-55-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral1/memory/1836-60-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 1064 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 584 takeown.exe 1344 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe File created C:\Windows\SysWOW64\wshtcpip.dll 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe File opened for modification C:\Windows\SysWOW64\goodsb.dll 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe File created C:\Windows\SysWOW64\goodsb.dll 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe File created C:\Windows\SysWOW64\ws2tcpip.dll 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe" 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "HHeIufK.dll" 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe -
Suspicious behavior: LoadsDriver 5 IoCs
pid Process 464 Process not Found 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 464 Process not Found 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe Token: SeTakeOwnershipPrivilege 584 takeown.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1836 wrote to memory of 896 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 29 PID 1836 wrote to memory of 896 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 29 PID 1836 wrote to memory of 896 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 29 PID 1836 wrote to memory of 896 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 29 PID 896 wrote to memory of 584 896 cmd.exe 31 PID 896 wrote to memory of 584 896 cmd.exe 31 PID 896 wrote to memory of 584 896 cmd.exe 31 PID 896 wrote to memory of 584 896 cmd.exe 31 PID 896 wrote to memory of 1344 896 cmd.exe 32 PID 896 wrote to memory of 1344 896 cmd.exe 32 PID 896 wrote to memory of 1344 896 cmd.exe 32 PID 896 wrote to memory of 1344 896 cmd.exe 32 PID 1836 wrote to memory of 1064 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 33 PID 1836 wrote to memory of 1064 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 33 PID 1836 wrote to memory of 1064 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 33 PID 1836 wrote to memory of 1064 1836 2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe"C:\Users\Admin\AppData\Local\Temp\2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
PID:1064
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181B
MD54f572731e15ef20040a90a372222819e
SHA1e2277d1cdefff780239b3a7a64817af898bb152c
SHA25679bcbcb9dfd53cab6d5dc1e7b5cd8d01d1789c691b64c64db529c92b4922f084
SHA51235d94399701c10c3fa4d5112caa3ad1c2cb86ae3361686b7823774aed3b27b84357054df8b1f1dd70a0adf619deb1ce600249ee4678433dbabdaddefc7b0cadc