Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 13:02
Static task
static1
Behavioral task
behavioral1
Sample
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe
Resource
win10v2004-20221111-en
General
-
Target
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe
-
Size
425KB
-
MD5
fe484787661bf09669f845a732270d98
-
SHA1
8f2bc598564fd08b6b6ec6da295938946525afa7
-
SHA256
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab
-
SHA512
ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b
-
SSDEEP
12288:sSXQpmFaoScAdtr1JGgF9Sv+hD7e9IpYbW9NP7AYN:s4QpmLyfnTPS+hZ/9NP7AYN
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1312 winlogon.exe 1200 winlogon.exe 1768 winlogon.exe 1348 csrss.exe -
Deletes itself 1 IoCs
pid Process 1768 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 1312 winlogon.exe 1312 winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" csrss.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1312 set thread context of 1768 1312 winlogon.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe:ZONE.identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe:ZONE.identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe\:ZONE.identifier:$DATA winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1312 winlogon.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe 1348 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1768 winlogon.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1340 d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1312 winlogon.exe Token: SeDebugPrivilege 1768 winlogon.exe Token: SeDebugPrivilege 1348 csrss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1768 winlogon.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1340 wrote to memory of 1440 1340 d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe 28 PID 1340 wrote to memory of 1440 1340 d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe 28 PID 1340 wrote to memory of 1440 1340 d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe 28 PID 1340 wrote to memory of 1440 1340 d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe 28 PID 1340 wrote to memory of 1312 1340 d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe 30 PID 1340 wrote to memory of 1312 1340 d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe 30 PID 1340 wrote to memory of 1312 1340 d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe 30 PID 1340 wrote to memory of 1312 1340 d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe 30 PID 1312 wrote to memory of 1144 1312 winlogon.exe 31 PID 1312 wrote to memory of 1144 1312 winlogon.exe 31 PID 1312 wrote to memory of 1144 1312 winlogon.exe 31 PID 1312 wrote to memory of 1144 1312 winlogon.exe 31 PID 1312 wrote to memory of 1200 1312 winlogon.exe 33 PID 1312 wrote to memory of 1200 1312 winlogon.exe 33 PID 1312 wrote to memory of 1200 1312 winlogon.exe 33 PID 1312 wrote to memory of 1200 1312 winlogon.exe 33 PID 1312 wrote to memory of 1768 1312 winlogon.exe 34 PID 1312 wrote to memory of 1768 1312 winlogon.exe 34 PID 1312 wrote to memory of 1768 1312 winlogon.exe 34 PID 1312 wrote to memory of 1768 1312 winlogon.exe 34 PID 1312 wrote to memory of 1768 1312 winlogon.exe 34 PID 1312 wrote to memory of 1768 1312 winlogon.exe 34 PID 1312 wrote to memory of 1768 1312 winlogon.exe 34 PID 1312 wrote to memory of 1768 1312 winlogon.exe 34 PID 1312 wrote to memory of 1768 1312 winlogon.exe 34 PID 1312 wrote to memory of 1348 1312 winlogon.exe 35 PID 1312 wrote to memory of 1348 1312 winlogon.exe 35 PID 1312 wrote to memory of 1348 1312 winlogon.exe 35 PID 1312 wrote to memory of 1348 1312 winlogon.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe"C:\Users\Admin\AppData\Local\Temp\d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe":ZONE.identifier & exit2⤵
- NTFS ADS
PID:1440
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit3⤵
- NTFS ADS
PID:1144
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"3⤵
- Executes dropped EXE
PID:1200
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"3⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1768
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe" -keyhide -prochide 1768 -reg C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe -proc 1768 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe
Filesize425KB
MD5fe484787661bf09669f845a732270d98
SHA18f2bc598564fd08b6b6ec6da295938946525afa7
SHA256d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab
SHA512ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b
-
Filesize
425KB
MD5fe484787661bf09669f845a732270d98
SHA18f2bc598564fd08b6b6ec6da295938946525afa7
SHA256d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab
SHA512ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b
-
Filesize
425KB
MD5fe484787661bf09669f845a732270d98
SHA18f2bc598564fd08b6b6ec6da295938946525afa7
SHA256d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab
SHA512ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b
-
Filesize
425KB
MD5fe484787661bf09669f845a732270d98
SHA18f2bc598564fd08b6b6ec6da295938946525afa7
SHA256d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab
SHA512ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b
-
Filesize
425KB
MD5fe484787661bf09669f845a732270d98
SHA18f2bc598564fd08b6b6ec6da295938946525afa7
SHA256d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab
SHA512ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b
-
Filesize
425KB
MD5fe484787661bf09669f845a732270d98
SHA18f2bc598564fd08b6b6ec6da295938946525afa7
SHA256d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab
SHA512ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b
-
Filesize
425KB
MD5fe484787661bf09669f845a732270d98
SHA18f2bc598564fd08b6b6ec6da295938946525afa7
SHA256d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab
SHA512ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b
-
Filesize
425KB
MD5fe484787661bf09669f845a732270d98
SHA18f2bc598564fd08b6b6ec6da295938946525afa7
SHA256d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab
SHA512ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b
-
Filesize
425KB
MD5fe484787661bf09669f845a732270d98
SHA18f2bc598564fd08b6b6ec6da295938946525afa7
SHA256d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab
SHA512ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b