Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01/12/2022, 22:43
General
-
Target
76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe
-
Size
60KB
-
MD5
a0068ae7ff0080ef15e60e1d213c53b1
-
SHA1
1685fd8007c01c2efc9f273f092cda13141fb0eb
-
SHA256
76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e
-
SHA512
f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb
-
SSDEEP
768:ukpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvORBX80X/s:3kQJcqwmIfj+ECJG/kvO40vs
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Discovers systems in the same network 1 TTPs 4 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe"C:\Users\Admin\AppData\Local\Temp\76d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
-
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s4⤵
- Accesses Microsoft Outlook accounts
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s4⤵
-
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet user Admin /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /domain5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group /domain5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers" /domain5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers"4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers" /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers" /domain5⤵
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
-
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet use4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵
-
-
C:\Windows\SysWOW64\net.exenet view /domain:"WORKGROUP"4⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "4⤵
-
-
C:\Windows\SysWOW64\find.exefind "\\"4⤵
-
-
C:\Windows\SysWOW64\net.exenet view \\ORXGKKZC4⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\net.exenet view \\ORXGKKZC4⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind "Disk"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 ORXGKKZC4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "Pinging Reply Request Unknown"4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5a0068ae7ff0080ef15e60e1d213c53b1
SHA11685fd8007c01c2efc9f273f092cda13141fb0eb
SHA25676d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e
SHA512f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb
-
Filesize
60KB
MD5a0068ae7ff0080ef15e60e1d213c53b1
SHA11685fd8007c01c2efc9f273f092cda13141fb0eb
SHA25676d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e
SHA512f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb
-
Filesize
49B
MD5916216b15d4c110b0534ec378292f653
SHA1f36e7d20c40f874b401ca11f44a8e24a0dc80e1a
SHA256ad99629c9b75312e25b81f9c370710601ae1b2fd34279533240287aa36f226ac
SHA5120262a7e27dbc58673d189b527581ec572a5ca5f23e16d7625e9ff0e541466d2501a9ae449db0878749227aa13b3310b6d36375d73438bbf844badc88e7036de7
-
Filesize
10B
MD53594ed70083b6e10efbfbcd4142b6454
SHA159b91832fc3778d2dba62642935c61fb768c760c
SHA256c1aead592e2eb892263a7b1a7ca36484c73013be81dda18ccbe6a35138799823
SHA512418466d5b10ba557bdb229cfcf7e190e7cedd9fd52a72e2591f78fc1c5c983b04c60c9307e8919c3d7e366d71c54a325d4f20e4ad4850677b115ca9c562d0586
-
Filesize
4KB
MD5b91bc08162fbc3445c5424b77183b807
SHA152b2a60db40cdcc655648a65210ed26219c033e1
SHA2567cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a
SHA5122f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35
-
Filesize
153B
MD5b256c8a481b065860c2812e742f50250
SHA151ddf02764fb12d88822450e8a27f9deac85fe54
SHA256b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12
SHA512f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360
-
Filesize
64B
MD5e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA2568bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e
-
Filesize
64B
MD5e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA2568bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e
-
Filesize
72B
MD559f2768506355d8bc50979f6d64ded26
SHA1b2d315b3857bec8335c526a08d08d6a1b5f5c151
SHA2567f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569
SHA512e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028
-
Filesize
64B
MD5e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA2568bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e
-
Filesize
64B
MD5e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA2568bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e
-
Filesize
234B
MD570c06d45272314d12cf853ed98edb663
SHA1da26e6d9ed4adf06bffa8f53733c3e9728ac50ab
SHA256dfc7e4a6a2c2810965f6f42806c7daa6a6d92fd3f404e67a66b6b1e956b2283c
SHA512d11701d492f52e2abfebb837cd91a6a920dd0fe186a4dcce2775f2bf47c1947ca0dbb86bbe10cb504016610ef81ff5f2871ef3376cb7c592fe4b6ad19819d645
-
Filesize
60KB
MD5a0068ae7ff0080ef15e60e1d213c53b1
SHA11685fd8007c01c2efc9f273f092cda13141fb0eb
SHA25676d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e
SHA512f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb
-
Filesize
60KB
MD5a0068ae7ff0080ef15e60e1d213c53b1
SHA11685fd8007c01c2efc9f273f092cda13141fb0eb
SHA25676d1c120d7fd6a5cbcb2799c650b81a23220096cce22d7d2659a6a98b051985e
SHA512f71440dbfa9780d7edb4691a1a353099f4408b05479d7d91b9406a988fa3d15cebe196662306ea9aaad75d9c6a1a8f7659fb7c04568e455411768aec861d35cb
-
Filesize
68KB
-
Filesize
8KB
-
Filesize
68KB
-
Filesize
68KB