Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 01:18
Static task
static1
Behavioral task
behavioral1
Sample
8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe
Resource
win10v2004-20220812-en
General
-
Target
8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe
-
Size
323KB
-
MD5
060bbbcd3963eb24d07ca1de2f85c670
-
SHA1
c69df2e3b28fc02926c26e25ccef95c8543886db
-
SHA256
8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae
-
SHA512
a3419b46e63aabf730ee61a172e315608f6841caadf4a014c8a162676028cc424720033ddede6d040e5327d86d3d8c8ff5aa721297b54d404a38c1792b2dec8e
-
SSDEEP
6144:MDRgvR2pZRhXQLOzSE8x2OZZGDvMOjWkfJBpybuqq0K5Mxn:MDRTXjXQ6zSE8xnavjKkfJ7yFq0K5yn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Windows\\SysWOW64\\Windows Server\\wserver.exe\"" wserver.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wserver.exe -
Executes dropped EXE 2 IoCs
pid Process 1756 wserver.exe 1700 wserver.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wserver.exe\DisableExceptionChainValidation wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wserver.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "nqij.exe" wserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "nqij.exe" wserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe wserver.exe -
Loads dropped DLL 1 IoCs
pid Process 616 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Windows Server\ 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe File created C:\Windows\SysWOW64\Windows Server\wserver.exe 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe File opened for modification C:\Windows\SysWOW64\Windows Server\wserver.exe 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1460 set thread context of 616 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 27 PID 1756 set thread context of 1700 1756 wserver.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 1756 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe 1700 wserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1700 wserver.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 616 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe Token: SeDebugPrivilege 1756 wserver.exe Token: SeDebugPrivilege 1700 wserver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1700 wserver.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1460 wrote to memory of 616 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 27 PID 1460 wrote to memory of 616 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 27 PID 1460 wrote to memory of 616 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 27 PID 1460 wrote to memory of 616 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 27 PID 1460 wrote to memory of 616 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 27 PID 1460 wrote to memory of 616 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 27 PID 1460 wrote to memory of 616 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 27 PID 1460 wrote to memory of 616 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 27 PID 1460 wrote to memory of 616 1460 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 27 PID 616 wrote to memory of 1756 616 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 28 PID 616 wrote to memory of 1756 616 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 28 PID 616 wrote to memory of 1756 616 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 28 PID 616 wrote to memory of 1756 616 8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe 28 PID 1756 wrote to memory of 1700 1756 wserver.exe 29 PID 1756 wrote to memory of 1700 1756 wserver.exe 29 PID 1756 wrote to memory of 1700 1756 wserver.exe 29 PID 1756 wrote to memory of 1700 1756 wserver.exe 29 PID 1756 wrote to memory of 1700 1756 wserver.exe 29 PID 1756 wrote to memory of 1700 1756 wserver.exe 29 PID 1756 wrote to memory of 1700 1756 wserver.exe 29 PID 1756 wrote to memory of 1700 1756 wserver.exe 29 PID 1756 wrote to memory of 1700 1756 wserver.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe"C:\Users\Admin\AppData\Local\Temp\8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe"C:\Users\Admin\AppData\Local\Temp\8a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Windows Server\wserver.exe"C:\Windows\system32\Windows Server\wserver.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Windows Server\wserver.exe"C:\Windows\SysWOW64\Windows Server\wserver.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323KB
MD5060bbbcd3963eb24d07ca1de2f85c670
SHA1c69df2e3b28fc02926c26e25ccef95c8543886db
SHA2568a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae
SHA512a3419b46e63aabf730ee61a172e315608f6841caadf4a014c8a162676028cc424720033ddede6d040e5327d86d3d8c8ff5aa721297b54d404a38c1792b2dec8e
-
Filesize
323KB
MD5060bbbcd3963eb24d07ca1de2f85c670
SHA1c69df2e3b28fc02926c26e25ccef95c8543886db
SHA2568a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae
SHA512a3419b46e63aabf730ee61a172e315608f6841caadf4a014c8a162676028cc424720033ddede6d040e5327d86d3d8c8ff5aa721297b54d404a38c1792b2dec8e
-
Filesize
323KB
MD5060bbbcd3963eb24d07ca1de2f85c670
SHA1c69df2e3b28fc02926c26e25ccef95c8543886db
SHA2568a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae
SHA512a3419b46e63aabf730ee61a172e315608f6841caadf4a014c8a162676028cc424720033ddede6d040e5327d86d3d8c8ff5aa721297b54d404a38c1792b2dec8e
-
Filesize
323KB
MD5060bbbcd3963eb24d07ca1de2f85c670
SHA1c69df2e3b28fc02926c26e25ccef95c8543886db
SHA2568a47f22324c992de1a575a3380157a69784d20e438e98401d8d6728f4f2f06ae
SHA512a3419b46e63aabf730ee61a172e315608f6841caadf4a014c8a162676028cc424720033ddede6d040e5327d86d3d8c8ff5aa721297b54d404a38c1792b2dec8e