Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
206s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 17:06
Static task
static1
Behavioral task
behavioral1
Sample
94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll
Resource
win7-20220812-en
General
-
Target
94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll
-
Size
212KB
-
MD5
049faf33ba7c114d745d210b9135c0a2
-
SHA1
499cb0addab8ba34f9f3123f70778033db8e88df
-
SHA256
94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980
-
SHA512
f47b54a4aa762a3c3c6ad4b736f301b105840ca00249d89d83e8766f4e9145164a04b791629ea9c22b9d52e7bba503f7d0af04bafea121602f03794b11c9a17e
-
SSDEEP
3072:wgKKuiX63bw5dNjDh8pWVgTlFIYntSUDONp/kYxXUKBAUCkHhDW:hKZp3KNjVGv0Tp/kYxXUPeRW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1492 rundll32mgr.exe 1988 WaterMark.exe -
resource yara_rule behavioral1/memory/1492-64-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1492-63-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1492-70-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1988-81-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1988-83-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1988-195-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1020 rundll32.exe 1020 rundll32.exe 1492 rundll32mgr.exe 1492 rundll32mgr.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxE734.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 1988 WaterMark.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe 364 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1988 WaterMark.exe Token: SeDebugPrivilege 364 svchost.exe Token: SeDebugPrivilege 1988 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1492 rundll32mgr.exe 1988 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1176 wrote to memory of 1020 1176 rundll32.exe 27 PID 1176 wrote to memory of 1020 1176 rundll32.exe 27 PID 1176 wrote to memory of 1020 1176 rundll32.exe 27 PID 1176 wrote to memory of 1020 1176 rundll32.exe 27 PID 1176 wrote to memory of 1020 1176 rundll32.exe 27 PID 1176 wrote to memory of 1020 1176 rundll32.exe 27 PID 1176 wrote to memory of 1020 1176 rundll32.exe 27 PID 1020 wrote to memory of 1492 1020 rundll32.exe 28 PID 1020 wrote to memory of 1492 1020 rundll32.exe 28 PID 1020 wrote to memory of 1492 1020 rundll32.exe 28 PID 1020 wrote to memory of 1492 1020 rundll32.exe 28 PID 1492 wrote to memory of 1988 1492 rundll32mgr.exe 29 PID 1492 wrote to memory of 1988 1492 rundll32mgr.exe 29 PID 1492 wrote to memory of 1988 1492 rundll32mgr.exe 29 PID 1492 wrote to memory of 1988 1492 rundll32mgr.exe 29 PID 1988 wrote to memory of 1468 1988 WaterMark.exe 30 PID 1988 wrote to memory of 1468 1988 WaterMark.exe 30 PID 1988 wrote to memory of 1468 1988 WaterMark.exe 30 PID 1988 wrote to memory of 1468 1988 WaterMark.exe 30 PID 1988 wrote to memory of 1468 1988 WaterMark.exe 30 PID 1988 wrote to memory of 1468 1988 WaterMark.exe 30 PID 1988 wrote to memory of 1468 1988 WaterMark.exe 30 PID 1988 wrote to memory of 1468 1988 WaterMark.exe 30 PID 1988 wrote to memory of 1468 1988 WaterMark.exe 30 PID 1988 wrote to memory of 1468 1988 WaterMark.exe 30 PID 1988 wrote to memory of 364 1988 WaterMark.exe 31 PID 1988 wrote to memory of 364 1988 WaterMark.exe 31 PID 1988 wrote to memory of 364 1988 WaterMark.exe 31 PID 1988 wrote to memory of 364 1988 WaterMark.exe 31 PID 1988 wrote to memory of 364 1988 WaterMark.exe 31 PID 1988 wrote to memory of 364 1988 WaterMark.exe 31 PID 1988 wrote to memory of 364 1988 WaterMark.exe 31 PID 1988 wrote to memory of 364 1988 WaterMark.exe 31 PID 1988 wrote to memory of 364 1988 WaterMark.exe 31 PID 1988 wrote to memory of 364 1988 WaterMark.exe 31 PID 364 wrote to memory of 260 364 svchost.exe 25 PID 364 wrote to memory of 260 364 svchost.exe 25 PID 364 wrote to memory of 260 364 svchost.exe 25 PID 364 wrote to memory of 260 364 svchost.exe 25 PID 364 wrote to memory of 260 364 svchost.exe 25 PID 364 wrote to memory of 332 364 svchost.exe 24 PID 364 wrote to memory of 332 364 svchost.exe 24 PID 364 wrote to memory of 332 364 svchost.exe 24 PID 364 wrote to memory of 332 364 svchost.exe 24 PID 364 wrote to memory of 332 364 svchost.exe 24 PID 364 wrote to memory of 368 364 svchost.exe 23 PID 364 wrote to memory of 368 364 svchost.exe 23 PID 364 wrote to memory of 368 364 svchost.exe 23 PID 364 wrote to memory of 368 364 svchost.exe 23 PID 364 wrote to memory of 368 364 svchost.exe 23 PID 364 wrote to memory of 376 364 svchost.exe 4 PID 364 wrote to memory of 376 364 svchost.exe 4 PID 364 wrote to memory of 376 364 svchost.exe 4 PID 364 wrote to memory of 376 364 svchost.exe 4 PID 364 wrote to memory of 376 364 svchost.exe 4 PID 364 wrote to memory of 416 364 svchost.exe 3 PID 364 wrote to memory of 416 364 svchost.exe 3 PID 364 wrote to memory of 416 364 svchost.exe 3 PID 364 wrote to memory of 416 364 svchost.exe 3 PID 364 wrote to memory of 416 364 svchost.exe 3 PID 364 wrote to memory of 460 364 svchost.exe 2 PID 364 wrote to memory of 460 364 svchost.exe 2 PID 364 wrote to memory of 460 364 svchost.exe 2 PID 364 wrote to memory of 460 364 svchost.exe 2
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:476
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:868
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵PID:1660
-
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1584
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1544
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1244
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:592
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:1008
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:296
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:824
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:796
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:740
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:652
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:576
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:416
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:376
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1412
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1468
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364
-
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1348
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:484
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:368
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f