Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 22:14
Static task
static1
Behavioral task
behavioral1
Sample
81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
Resource
win10v2004-20220812-en
General
-
Target
81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
-
Size
28KB
-
MD5
98796e376e08ab8fce2dfb0570938751
-
SHA1
5a8f6bfdc7791d7c7336b225ec996fb60a90a6d3
-
SHA256
81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812
-
SHA512
a029579f3f9c6f5247521097fbccec8cdd1d196c95d8813c8da446bb33474b15a2465578a6c3c60e5533ba07e1a5515b4cde55596a14df3b7c9ca98ae2d35877
-
SSDEEP
768:b2FFwaMLgTzqjA4pYOUd+/u9uppQ1MZrX5iHkYmDWVcNnXwzMtc2/:bWTcvjVpzJdYWZ75hYy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1072 sovhst.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwstub.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KpfwSvc.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSWebShield.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safeup.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwstub.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KpfwSvc.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTRAY.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngLdr.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE sovhst.exe -
Deletes itself 1 IoCs
pid Process 1164 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 1072 sovhst.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\dllcache\linkinfo.dll sovhst.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\sovhst.exe 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe File opened for modification C:\Program Files\sovhst.exe sovhst.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\fonts\niuxs.sys sovhst.exe File created C:\Windows\fonts\fuckjss.sys sovhst.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1192 sc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe 1072 sovhst.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 460 Process not Found 460 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1072 sovhst.exe Token: SeDebugPrivilege 1072 sovhst.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1092 wrote to memory of 1072 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 27 PID 1092 wrote to memory of 1072 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 27 PID 1092 wrote to memory of 1072 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 27 PID 1092 wrote to memory of 1072 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 27 PID 1072 wrote to memory of 808 1072 sovhst.exe 28 PID 1072 wrote to memory of 808 1072 sovhst.exe 28 PID 1072 wrote to memory of 808 1072 sovhst.exe 28 PID 1072 wrote to memory of 808 1072 sovhst.exe 28 PID 808 wrote to memory of 1192 808 cmd.exe 30 PID 808 wrote to memory of 1192 808 cmd.exe 30 PID 808 wrote to memory of 1192 808 cmd.exe 30 PID 808 wrote to memory of 1192 808 cmd.exe 30 PID 1092 wrote to memory of 1164 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 31 PID 1092 wrote to memory of 1164 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 31 PID 1092 wrote to memory of 1164 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 31 PID 1092 wrote to memory of 1164 1092 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe"C:\Users\Admin\AppData\Local\Temp\81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Program Files\sovhst.exe"C:\Program Files\sovhst.exe"2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\cmd.execmd /c sc config avp start= disabled3⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\sc.exesc config avp start= disabled4⤵
- Launches sc.exe
PID:1192
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe"2⤵
- Deletes itself
PID:1164
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5b6798f264cb81ca4b619ee5795194727
SHA115e9fd8ebac957782e3156f9776d1e0ceb7320ed
SHA256404017f0c0773086387a3388ede20a0ebe486ab86da613d35b6627e105098c7f
SHA51203eaef7ca5d13cffc39f7acc8cd154e7f8b9b2a93d2adff3e212a2f85af4f611eddfc57ac940e275dcb776801df7b22854da1904f825ee5e9837013ec7590cc9
-
Filesize
24KB
MD5b6798f264cb81ca4b619ee5795194727
SHA115e9fd8ebac957782e3156f9776d1e0ceb7320ed
SHA256404017f0c0773086387a3388ede20a0ebe486ab86da613d35b6627e105098c7f
SHA51203eaef7ca5d13cffc39f7acc8cd154e7f8b9b2a93d2adff3e212a2f85af4f611eddfc57ac940e275dcb776801df7b22854da1904f825ee5e9837013ec7590cc9
-
Filesize
24KB
MD5b6798f264cb81ca4b619ee5795194727
SHA115e9fd8ebac957782e3156f9776d1e0ceb7320ed
SHA256404017f0c0773086387a3388ede20a0ebe486ab86da613d35b6627e105098c7f
SHA51203eaef7ca5d13cffc39f7acc8cd154e7f8b9b2a93d2adff3e212a2f85af4f611eddfc57ac940e275dcb776801df7b22854da1904f825ee5e9837013ec7590cc9
-
Filesize
24KB
MD5b6798f264cb81ca4b619ee5795194727
SHA115e9fd8ebac957782e3156f9776d1e0ceb7320ed
SHA256404017f0c0773086387a3388ede20a0ebe486ab86da613d35b6627e105098c7f
SHA51203eaef7ca5d13cffc39f7acc8cd154e7f8b9b2a93d2adff3e212a2f85af4f611eddfc57ac940e275dcb776801df7b22854da1904f825ee5e9837013ec7590cc9
-
Filesize
17KB
MD5639e7403b60d35fd9fb7474d756bdb68
SHA1d5f625170104b3599824d915e16ac7d8f8e72e50
SHA256b23feac5c0a9b51848e41beef12e68c70a9266aa966f93bb884d4e7383813ef1
SHA512cac3802c7eb2d1e64079d484c508f3538f33d46f87c1ee9636748ae866ff3d36994822b6be2b5950d7dce78d9d010a77d497588edcda325e096489189e87d6ef