Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 22:08
Behavioral task
behavioral1
Sample
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
Resource
win10v2004-20220812-en
General
-
Target
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
-
Size
6.7MB
-
MD5
aaf88fa7958d3c7009c60ed43b89461e
-
SHA1
e0d4ba802143760e95e5352d57941af1d08ce1a4
-
SHA256
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547
-
SHA512
e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19
-
SSDEEP
98304:c+g32s2/z88sN8f01iuciNu2zPnj/7pxX6gxC9Y5lpuG85yVPKAd:cj32s27oNwnYBzzXaQIG8o
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1976 CCTV.exe -
resource yara_rule behavioral1/memory/1512-56-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/files/0x000b0000000122f1-60.dat upx behavioral1/files/0x000b0000000122f1-63.dat upx behavioral1/memory/1976-66-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/1512-67-0x0000000000400000-0x0000000000424000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 1932 cmd.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe CCTV.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe CCTV.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe CCTV.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe CCTV.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe CCTV.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1356F306-EAE0-4B1A-B71F-5790065C0F0D}\chrome_installer.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe CCTV.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe CCTV.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe CCTV.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe CCTV.exe File opened for modification C:\Program Files\Windows Media Player\wmpenc.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe CCTV.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe CCTV.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE CCTV.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CCTV.exe ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe File opened for modification C:\Windows\CCTV.exe ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe File opened for modification C:\Windows\CCTV.exe CCTV.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1512 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 1976 CCTV.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1932 1512 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 27 PID 1512 wrote to memory of 1932 1512 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 27 PID 1512 wrote to memory of 1932 1512 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 27 PID 1512 wrote to memory of 1932 1512 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 27 PID 1512 wrote to memory of 1976 1512 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 29 PID 1512 wrote to memory of 1976 1512 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 29 PID 1512 wrote to memory of 1976 1512 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 29 PID 1512 wrote to memory of 1976 1512 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe"C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547kill.bat2⤵
- Deletes itself
PID:1932
-
-
C:\Windows\CCTV.exeC:\Windows\CCTV.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1976
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547kill.bat
Filesize252B
MD594f342c213c909d1f22ba48b94999376
SHA13f7d1f2817c0f17cdd6cb1b13420d36a036484f0
SHA2565ffca8c722d57b39d27396faf9d946eaa84e06f2226a62bc89b5442a948afd44
SHA5129ebf163a71a3d8a3af157fa986ca9c0887145a6201def196494a53a4b109c55bbd18bf0bae5364ade1e23789992eee8be8a6c1c3c4a1c77d16984740780c0741
-
Filesize
6.7MB
MD5aaf88fa7958d3c7009c60ed43b89461e
SHA1e0d4ba802143760e95e5352d57941af1d08ce1a4
SHA256ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547
SHA512e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19
-
Filesize
6.7MB
MD5aaf88fa7958d3c7009c60ed43b89461e
SHA1e0d4ba802143760e95e5352d57941af1d08ce1a4
SHA256ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547
SHA512e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19