Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 17:06
Static task
static1
Behavioral task
behavioral1
Sample
94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll
Resource
win7-20220812-en
General
-
Target
94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll
-
Size
212KB
-
MD5
049faf33ba7c114d745d210b9135c0a2
-
SHA1
499cb0addab8ba34f9f3123f70778033db8e88df
-
SHA256
94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980
-
SHA512
f47b54a4aa762a3c3c6ad4b736f301b105840ca00249d89d83e8766f4e9145164a04b791629ea9c22b9d52e7bba503f7d0af04bafea121602f03794b11c9a17e
-
SSDEEP
3072:wgKKuiX63bw5dNjDh8pWVgTlFIYntSUDONp/kYxXUKBAUCkHhDW:hKZp3KNjVGv0Tp/kYxXUPeRW
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 5016 rundll32mgr.exe 5012 WaterMark.exe -
resource yara_rule behavioral2/memory/5016-138-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/5016-139-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/5012-145-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/5012-148-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/5016-142-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/5012-150-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/5012-153-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/5012-155-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/5012-156-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/5012-157-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral2/memory/5012-158-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxA7E8.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1116 1740 WerFault.exe 83 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995301" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995301" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374671832" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{52C9B5F8-5F58-11ED-B696-F6DE28FD18F9} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{52D0DAFF-5F58-11ED-B696-F6DE28FD18F9} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995301" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995301" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995301" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "901892846" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "895640275" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "901733248" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "901892846" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995301" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "895640275" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "901733248" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe 5012 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5012 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2828 iexplore.exe 1748 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1748 iexplore.exe 1748 iexplore.exe 2828 iexplore.exe 2828 iexplore.exe 2352 IEXPLORE.EXE 2352 IEXPLORE.EXE 228 IEXPLORE.EXE 228 IEXPLORE.EXE 2352 IEXPLORE.EXE 2352 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5016 rundll32mgr.exe 5012 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3108 wrote to memory of 1972 3108 rundll32.exe 79 PID 3108 wrote to memory of 1972 3108 rundll32.exe 79 PID 3108 wrote to memory of 1972 3108 rundll32.exe 79 PID 1972 wrote to memory of 5016 1972 rundll32.exe 81 PID 1972 wrote to memory of 5016 1972 rundll32.exe 81 PID 1972 wrote to memory of 5016 1972 rundll32.exe 81 PID 5016 wrote to memory of 5012 5016 rundll32mgr.exe 82 PID 5016 wrote to memory of 5012 5016 rundll32mgr.exe 82 PID 5016 wrote to memory of 5012 5016 rundll32mgr.exe 82 PID 5012 wrote to memory of 1740 5012 WaterMark.exe 83 PID 5012 wrote to memory of 1740 5012 WaterMark.exe 83 PID 5012 wrote to memory of 1740 5012 WaterMark.exe 83 PID 5012 wrote to memory of 1740 5012 WaterMark.exe 83 PID 5012 wrote to memory of 1740 5012 WaterMark.exe 83 PID 5012 wrote to memory of 1740 5012 WaterMark.exe 83 PID 5012 wrote to memory of 1740 5012 WaterMark.exe 83 PID 5012 wrote to memory of 1740 5012 WaterMark.exe 83 PID 5012 wrote to memory of 1740 5012 WaterMark.exe 83 PID 5012 wrote to memory of 1748 5012 WaterMark.exe 87 PID 5012 wrote to memory of 1748 5012 WaterMark.exe 87 PID 5012 wrote to memory of 2828 5012 WaterMark.exe 88 PID 5012 wrote to memory of 2828 5012 WaterMark.exe 88 PID 1748 wrote to memory of 2352 1748 iexplore.exe 89 PID 1748 wrote to memory of 2352 1748 iexplore.exe 89 PID 1748 wrote to memory of 2352 1748 iexplore.exe 89 PID 2828 wrote to memory of 228 2828 iexplore.exe 90 PID 2828 wrote to memory of 228 2828 iexplore.exe 90 PID 2828 wrote to memory of 228 2828 iexplore.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:1740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 2086⤵
- Program crash
PID:1116
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2352
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:228
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1740 -ip 17401⤵PID:652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD580f22efce2b9390a36eea98657b6d1f4
SHA1150d40f67639fccd130d8616ddc0cf623b491905
SHA256227fafbbbd678543e247cfdbf8b5ff60e8fc576da70c2a3f0f735cab2652dd2d
SHA512e2dc713b48477f7c98c0a0d42306745133476876805b4861ba1d76b11f3e9067fc83f3bc6ea350c1298f54dd3ff3ec00e0cb08fff5618df7d0f723900b93ddf4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD5e383549ad8e74ad8fdfa2c9423ad69a2
SHA1f9363c4ec7cad357be99d829f49ff7914fd15495
SHA2561c6413471d0e683d18f44783e33a36678fb720aed1932a315b19757c6b1422d2
SHA512bb81e56fda729a57e4f90b61abdb2656f8cf475cc461a8f2a0ac5cde0b06e783c05e41fa337d7934228b78fe87c209b462fcab1d624b10e9211402d9b140d7ba
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{52C9B5F8-5F58-11ED-B696-F6DE28FD18F9}.dat
Filesize5KB
MD552800c935d1bc21668ee7682df2a332f
SHA1d0b88b49ece3670194f8edb8cfb0def38d31a11e
SHA2561238d83436949aabf847f51706055b4f55a6ad97979883d7f3f59a1c74613eaa
SHA512d347d82a7c7bff7d7899e0bc6fd71f0235edf9ea816f2e1cdb573fb6151182424fd297ad3c2c2c7dbc8ad40298c8353fd71df23330cf524781eb0c639fd284f8
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f
-
Filesize
95KB
MD5406159c750552b5507de7ddc58331f84
SHA117b76dd75ed8fea0c724665a119eb634e1ce241c
SHA256141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf
SHA512158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f