Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
fef1ec3367c1cdd00a658cc1879d48f1b2408fcd4f25c02b667a8272f24f2a2a.dll
Resource
win7-20220812-en
General
-
Target
fef1ec3367c1cdd00a658cc1879d48f1b2408fcd4f25c02b667a8272f24f2a2a.dll
-
Size
176KB
-
MD5
b52596cc2f51e4cca31b4be61a1c8ac0
-
SHA1
89fdbc0d9781d1e2705b8712613e43b93aa436be
-
SHA256
fef1ec3367c1cdd00a658cc1879d48f1b2408fcd4f25c02b667a8272f24f2a2a
-
SHA512
f2fec90d388ffc46b9f1adfbde2c686b4f6e07fb778558ca99e22e21bc83997d4734bba425bb99fcb433452fe505fdfc301d4c125d817430d3e751ffa8ed0ad2
-
SSDEEP
3072:pgKKuiX63bw5dNjDh8pWVgTlFIYnUBBOmCCYhTQw/adrEV:iKZp3KNjVGv5KYhMN4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1932 rundll32mgr.exe 1088 WaterMark.exe -
resource yara_rule behavioral1/memory/1932-63-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1932-64-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1932-70-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1088-86-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1088-88-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1088-195-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1124 rundll32.exe 1124 rundll32.exe 1932 rundll32mgr.exe 1932 rundll32mgr.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px257C.tmp rundll32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32mgr.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1088 WaterMark.exe 1088 WaterMark.exe 1088 WaterMark.exe 1088 WaterMark.exe 1088 WaterMark.exe 1088 WaterMark.exe 1088 WaterMark.exe 1088 WaterMark.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe 1156 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1088 WaterMark.exe Token: SeDebugPrivilege 1156 svchost.exe Token: SeDebugPrivilege 1088 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1932 rundll32mgr.exe 1088 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1168 wrote to memory of 1124 1168 rundll32.exe 27 PID 1168 wrote to memory of 1124 1168 rundll32.exe 27 PID 1168 wrote to memory of 1124 1168 rundll32.exe 27 PID 1168 wrote to memory of 1124 1168 rundll32.exe 27 PID 1168 wrote to memory of 1124 1168 rundll32.exe 27 PID 1168 wrote to memory of 1124 1168 rundll32.exe 27 PID 1168 wrote to memory of 1124 1168 rundll32.exe 27 PID 1124 wrote to memory of 1932 1124 rundll32.exe 28 PID 1124 wrote to memory of 1932 1124 rundll32.exe 28 PID 1124 wrote to memory of 1932 1124 rundll32.exe 28 PID 1124 wrote to memory of 1932 1124 rundll32.exe 28 PID 1932 wrote to memory of 1088 1932 rundll32mgr.exe 29 PID 1932 wrote to memory of 1088 1932 rundll32mgr.exe 29 PID 1932 wrote to memory of 1088 1932 rundll32mgr.exe 29 PID 1932 wrote to memory of 1088 1932 rundll32mgr.exe 29 PID 1088 wrote to memory of 1920 1088 WaterMark.exe 30 PID 1088 wrote to memory of 1920 1088 WaterMark.exe 30 PID 1088 wrote to memory of 1920 1088 WaterMark.exe 30 PID 1088 wrote to memory of 1920 1088 WaterMark.exe 30 PID 1088 wrote to memory of 1920 1088 WaterMark.exe 30 PID 1088 wrote to memory of 1920 1088 WaterMark.exe 30 PID 1088 wrote to memory of 1920 1088 WaterMark.exe 30 PID 1088 wrote to memory of 1920 1088 WaterMark.exe 30 PID 1088 wrote to memory of 1920 1088 WaterMark.exe 30 PID 1088 wrote to memory of 1920 1088 WaterMark.exe 30 PID 1088 wrote to memory of 1156 1088 WaterMark.exe 31 PID 1088 wrote to memory of 1156 1088 WaterMark.exe 31 PID 1088 wrote to memory of 1156 1088 WaterMark.exe 31 PID 1088 wrote to memory of 1156 1088 WaterMark.exe 31 PID 1088 wrote to memory of 1156 1088 WaterMark.exe 31 PID 1088 wrote to memory of 1156 1088 WaterMark.exe 31 PID 1088 wrote to memory of 1156 1088 WaterMark.exe 31 PID 1088 wrote to memory of 1156 1088 WaterMark.exe 31 PID 1088 wrote to memory of 1156 1088 WaterMark.exe 31 PID 1088 wrote to memory of 1156 1088 WaterMark.exe 31 PID 1156 wrote to memory of 260 1156 svchost.exe 7 PID 1156 wrote to memory of 260 1156 svchost.exe 7 PID 1156 wrote to memory of 260 1156 svchost.exe 7 PID 1156 wrote to memory of 260 1156 svchost.exe 7 PID 1156 wrote to memory of 260 1156 svchost.exe 7 PID 1156 wrote to memory of 336 1156 svchost.exe 6 PID 1156 wrote to memory of 336 1156 svchost.exe 6 PID 1156 wrote to memory of 336 1156 svchost.exe 6 PID 1156 wrote to memory of 336 1156 svchost.exe 6 PID 1156 wrote to memory of 336 1156 svchost.exe 6 PID 1156 wrote to memory of 372 1156 svchost.exe 5 PID 1156 wrote to memory of 372 1156 svchost.exe 5 PID 1156 wrote to memory of 372 1156 svchost.exe 5 PID 1156 wrote to memory of 372 1156 svchost.exe 5 PID 1156 wrote to memory of 372 1156 svchost.exe 5 PID 1156 wrote to memory of 380 1156 svchost.exe 4 PID 1156 wrote to memory of 380 1156 svchost.exe 4 PID 1156 wrote to memory of 380 1156 svchost.exe 4 PID 1156 wrote to memory of 380 1156 svchost.exe 4 PID 1156 wrote to memory of 380 1156 svchost.exe 4 PID 1156 wrote to memory of 420 1156 svchost.exe 3 PID 1156 wrote to memory of 420 1156 svchost.exe 3 PID 1156 wrote to memory of 420 1156 svchost.exe 3 PID 1156 wrote to memory of 420 1156 svchost.exe 3 PID 1156 wrote to memory of 420 1156 svchost.exe 3 PID 1156 wrote to memory of 468 1156 svchost.exe 2 PID 1156 wrote to memory of 468 1156 svchost.exe 2 PID 1156 wrote to memory of 468 1156 svchost.exe 2 PID 1156 wrote to memory of 468 1156 svchost.exe 2
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:476
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:468
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:804
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1340
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:800
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:960
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1256
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1040
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:308
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:328
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:876
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:852
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:740
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:676
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:592
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:484
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:372
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:1928
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1384
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fef1ec3367c1cdd00a658cc1879d48f1b2408fcd4f25c02b667a8272f24f2a2a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fef1ec3367c1cdd00a658cc1879d48f1b2408fcd4f25c02b667a8272f24f2a2a.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1920
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5f75ba7b0befee8ceca41887a1c08275a
SHA1c302a11726b67942df47bd592e0f16f4b55e27cd
SHA256e17884dabe4a9f88f81cb7871f007699cc3f4ee349b12fa11e27750c6097104a
SHA51223c379ad527f817382f9a38e2fda7cc6e77250289ca079a81a0e690fa8af98db290a55e953108788ecfbb6e1bf2746230c68fa1df513729d72758a782a768673
-
Filesize
60KB
MD5f75ba7b0befee8ceca41887a1c08275a
SHA1c302a11726b67942df47bd592e0f16f4b55e27cd
SHA256e17884dabe4a9f88f81cb7871f007699cc3f4ee349b12fa11e27750c6097104a
SHA51223c379ad527f817382f9a38e2fda7cc6e77250289ca079a81a0e690fa8af98db290a55e953108788ecfbb6e1bf2746230c68fa1df513729d72758a782a768673
-
Filesize
60KB
MD5f75ba7b0befee8ceca41887a1c08275a
SHA1c302a11726b67942df47bd592e0f16f4b55e27cd
SHA256e17884dabe4a9f88f81cb7871f007699cc3f4ee349b12fa11e27750c6097104a
SHA51223c379ad527f817382f9a38e2fda7cc6e77250289ca079a81a0e690fa8af98db290a55e953108788ecfbb6e1bf2746230c68fa1df513729d72758a782a768673
-
Filesize
60KB
MD5f75ba7b0befee8ceca41887a1c08275a
SHA1c302a11726b67942df47bd592e0f16f4b55e27cd
SHA256e17884dabe4a9f88f81cb7871f007699cc3f4ee349b12fa11e27750c6097104a
SHA51223c379ad527f817382f9a38e2fda7cc6e77250289ca079a81a0e690fa8af98db290a55e953108788ecfbb6e1bf2746230c68fa1df513729d72758a782a768673
-
Filesize
60KB
MD5f75ba7b0befee8ceca41887a1c08275a
SHA1c302a11726b67942df47bd592e0f16f4b55e27cd
SHA256e17884dabe4a9f88f81cb7871f007699cc3f4ee349b12fa11e27750c6097104a
SHA51223c379ad527f817382f9a38e2fda7cc6e77250289ca079a81a0e690fa8af98db290a55e953108788ecfbb6e1bf2746230c68fa1df513729d72758a782a768673
-
Filesize
60KB
MD5f75ba7b0befee8ceca41887a1c08275a
SHA1c302a11726b67942df47bd592e0f16f4b55e27cd
SHA256e17884dabe4a9f88f81cb7871f007699cc3f4ee349b12fa11e27750c6097104a
SHA51223c379ad527f817382f9a38e2fda7cc6e77250289ca079a81a0e690fa8af98db290a55e953108788ecfbb6e1bf2746230c68fa1df513729d72758a782a768673
-
Filesize
60KB
MD5f75ba7b0befee8ceca41887a1c08275a
SHA1c302a11726b67942df47bd592e0f16f4b55e27cd
SHA256e17884dabe4a9f88f81cb7871f007699cc3f4ee349b12fa11e27750c6097104a
SHA51223c379ad527f817382f9a38e2fda7cc6e77250289ca079a81a0e690fa8af98db290a55e953108788ecfbb6e1bf2746230c68fa1df513729d72758a782a768673
-
Filesize
60KB
MD5f75ba7b0befee8ceca41887a1c08275a
SHA1c302a11726b67942df47bd592e0f16f4b55e27cd
SHA256e17884dabe4a9f88f81cb7871f007699cc3f4ee349b12fa11e27750c6097104a
SHA51223c379ad527f817382f9a38e2fda7cc6e77250289ca079a81a0e690fa8af98db290a55e953108788ecfbb6e1bf2746230c68fa1df513729d72758a782a768673