Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21/11/2022, 15:13
Static task
static1
Behavioral task
behavioral1
Sample
5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe
Resource
win10v2004-20220812-en
General
-
Target
5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe
-
Size
512KB
-
MD5
22bdc1774f32565d23c36e3d118097dc
-
SHA1
8e212378366104fc9bae24fcffd9f97a88227c63
-
SHA256
5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b
-
SHA512
c97c2ec052d99266ef8582400ab0dfa832882592b0a38441bafc452bdc0dad5a84d207a3e6a846f192e88164766f98498947335c83787fd17d4f15897dd8fb58
-
SSDEEP
12288:b1dlZo5yUkDRZKlxJ9eCn9BoF/HtMB56R+nh6TnACZC5I+:b1dlZo5EDoxf6pHSb63UI0I+
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run CLEAN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cvugenral = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe" CLEAN.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run CLEAN.exe Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cvugenral = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe" CLEAN.exe -
Executes dropped EXE 6 IoCs
pid Process 2008 CLEAN.exe 572 CLEAN.exe 1680 CLEAN.exe 2040 svchosty.exe 1624 svchosty.exe 1488 svchosty.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AKCS228-7RSP-82BB-FN67-6EOJS5I2UPFD} CLEAN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AKCS228-7RSP-82BB-FN67-6EOJS5I2UPFD}\StubPath = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe Restart" CLEAN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AKCS228-7RSP-82BB-FN67-6EOJS5I2UPFD} svchosty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AKCS228-7RSP-82BB-FN67-6EOJS5I2UPFD}\StubPath = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe Restart" svchosty.exe -
resource yara_rule behavioral1/memory/572-65-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/572-70-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/572-71-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/572-73-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/572-259-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/572-305-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1680-308-0x0000000010580000-0x00000000105B6000-memory.dmp upx behavioral1/memory/1624-325-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1624-473-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1624-512-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1488-513-0x0000000010590000-0x00000000105C6000-memory.dmp upx behavioral1/memory/1488-514-0x0000000010590000-0x00000000105C6000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1756 5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe 1756 5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe 1680 CLEAN.exe 1680 CLEAN.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run CLEAN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cvugenral = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe" CLEAN.exe Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run CLEAN.exe Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvugenral = "C:\\Program Files (x86)\\Windowd UN\\svchosty.exe" CLEAN.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2008 set thread context of 572 2008 CLEAN.exe 28 PID 2008 set thread context of 0 2008 CLEAN.exe PID 2040 set thread context of 1624 2040 svchosty.exe 31 PID 2040 set thread context of 0 2040 svchosty.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Windowd UN\svchosty.exe CLEAN.exe File opened for modification C:\Program Files (x86)\Windowd UN\svchosty.exe CLEAN.exe File opened for modification C:\Program Files (x86)\Windowd UN\plugin.dat CLEAN.exe File opened for modification C:\Program Files (x86)\Windowd UN\ CLEAN.exe File created C:\Program Files (x86)\Windowd UN\logs.dat svchosty.exe File opened for modification C:\Program Files (x86)\Windowd UN\logs.dat svchosty.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 572 CLEAN.exe 1624 svchosty.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1488 svchosty.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 572 CLEAN.exe Token: SeDebugPrivilege 572 CLEAN.exe Token: SeDebugPrivilege 572 CLEAN.exe Token: SeDebugPrivilege 572 CLEAN.exe Token: SeDebugPrivilege 1624 svchosty.exe Token: SeDebugPrivilege 1624 svchosty.exe Token: SeDebugPrivilege 1624 svchosty.exe Token: SeDebugPrivilege 1624 svchosty.exe Token: SeDebugPrivilege 1488 svchosty.exe Token: SeDebugPrivilege 1488 svchosty.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2008 CLEAN.exe 2040 svchosty.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2008 1756 5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe 27 PID 1756 wrote to memory of 2008 1756 5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe 27 PID 1756 wrote to memory of 2008 1756 5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe 27 PID 1756 wrote to memory of 2008 1756 5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe 27 PID 2008 wrote to memory of 572 2008 CLEAN.exe 28 PID 2008 wrote to memory of 572 2008 CLEAN.exe 28 PID 2008 wrote to memory of 572 2008 CLEAN.exe 28 PID 2008 wrote to memory of 572 2008 CLEAN.exe 28 PID 2008 wrote to memory of 572 2008 CLEAN.exe 28 PID 2008 wrote to memory of 572 2008 CLEAN.exe 28 PID 2008 wrote to memory of 572 2008 CLEAN.exe 28 PID 2008 wrote to memory of 572 2008 CLEAN.exe 28 PID 2008 wrote to memory of 572 2008 CLEAN.exe 28 PID 2008 wrote to memory of 0 2008 CLEAN.exe PID 2008 wrote to memory of 0 2008 CLEAN.exe PID 2008 wrote to memory of 0 2008 CLEAN.exe PID 2008 wrote to memory of 0 2008 CLEAN.exe PID 2008 wrote to memory of 0 2008 CLEAN.exe PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7 PID 572 wrote to memory of 260 572 CLEAN.exe 7
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:480
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:464
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1220
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:760
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:920
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1052
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:300
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:276
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:888
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:848
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:820
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:744
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:672
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:592
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:372
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:1936
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe"C:\Users\Admin\AppData\Local\Temp\5fc5c71df2d5ca00bfb0732351a8aac2c7b3e32c6f871c7ebe781b77e226717b.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Extracted\CLEAN.exe"C:\Extracted\CLEAN.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Extracted\CLEAN.exeC:\Extracted\CLEAN.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Extracted\CLEAN.exeC:\Extracted\CLEAN.exe5⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
PID:1680 -
C:\Program Files (x86)\Windowd UN\svchosty.exe"C:\Program Files (x86)\Windowd UN\svchosty.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2040 -
C:\Program Files (x86)\Windowd UN\svchosty.exe"C:\Program Files (x86)\Windowd UN\svchosty.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Program Files (x86)\Windowd UN\svchosty.exe"C:\Program Files (x86)\Windowd UN\svchosty.exe"8⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
-
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209
-
Filesize
176KB
MD514bbe284f5dbea370c72086a6cf9c285
SHA1d64f1da8480a238f0fafd4a52c1ffe38729ee415
SHA256e379873c5f9386e5fac3f2d44f631731527a14ab392b917b9f888e0599697f6e
SHA512c4e4c14ff77d636a3a4adf7a378863b1705cb7313afb90dfe288cd5f1bedd2690b5425bbb35fc3772e292fbd4cda043529802d98eee946e31946153228454209