Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
89s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 03:00
Static task
static1
Behavioral task
behavioral1
Sample
79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe
Resource
win10v2004-20220812-en
General
-
Target
79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe
-
Size
4.8MB
-
MD5
b9c9b6a1121071dcc3afac7cef10b987
-
SHA1
7ec4123c506a76eeaf1904a71263953906687cbf
-
SHA256
79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f
-
SHA512
ccad975fb3fe467ec16e2951ffada02860817a2b8d2518d9037c590aa533a6d417253fcf2f69d96e82cf28f396b1e8edcc72e7393ddf4f28034b4a1a12cc4fda
-
SSDEEP
98304:7EK7yYAUDJ4sPgxSAZ5EGh+cDsddihc6TXkBL:txpPHA3DtsdP6TXkB
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts do.exe File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe File created C:\Windows\system32\drivers\etc\hоsts cmd.exe -
Executes dropped EXE 4 IoCs
pid Process 952 do.exe 896 setup.exe 1872 run.exe 648 csrss.exe -
Loads dropped DLL 7 IoCs
pid Process 1612 79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe 1612 79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe 952 do.exe 952 do.exe 952 do.exe 1872 run.exe 1872 run.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\init = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\do.exe\" eeyuckl.bat" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
pid Process 900 taskkill.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://fon.gs/updates/" run.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://fon.gs/updates/" csrss.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1668 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 896 setup.exe 896 setup.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 900 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 952 do.exe 896 setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1612 wrote to memory of 952 1612 79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe 28 PID 1612 wrote to memory of 952 1612 79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe 28 PID 1612 wrote to memory of 952 1612 79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe 28 PID 1612 wrote to memory of 952 1612 79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe 28 PID 1612 wrote to memory of 952 1612 79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe 28 PID 1612 wrote to memory of 952 1612 79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe 28 PID 1612 wrote to memory of 952 1612 79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe 28 PID 952 wrote to memory of 584 952 do.exe 29 PID 952 wrote to memory of 584 952 do.exe 29 PID 952 wrote to memory of 584 952 do.exe 29 PID 952 wrote to memory of 584 952 do.exe 29 PID 952 wrote to memory of 584 952 do.exe 29 PID 952 wrote to memory of 584 952 do.exe 29 PID 952 wrote to memory of 584 952 do.exe 29 PID 952 wrote to memory of 1516 952 do.exe 31 PID 952 wrote to memory of 1516 952 do.exe 31 PID 952 wrote to memory of 1516 952 do.exe 31 PID 952 wrote to memory of 1516 952 do.exe 31 PID 952 wrote to memory of 1516 952 do.exe 31 PID 952 wrote to memory of 1516 952 do.exe 31 PID 952 wrote to memory of 1516 952 do.exe 31 PID 584 wrote to memory of 844 584 cmd.exe 34 PID 584 wrote to memory of 844 584 cmd.exe 34 PID 584 wrote to memory of 844 584 cmd.exe 34 PID 584 wrote to memory of 844 584 cmd.exe 34 PID 584 wrote to memory of 844 584 cmd.exe 34 PID 584 wrote to memory of 844 584 cmd.exe 34 PID 584 wrote to memory of 844 584 cmd.exe 34 PID 1516 wrote to memory of 1652 1516 cmd.exe 35 PID 1516 wrote to memory of 1652 1516 cmd.exe 35 PID 1516 wrote to memory of 1652 1516 cmd.exe 35 PID 1516 wrote to memory of 1652 1516 cmd.exe 35 PID 1516 wrote to memory of 1652 1516 cmd.exe 35 PID 1516 wrote to memory of 1652 1516 cmd.exe 35 PID 1516 wrote to memory of 1652 1516 cmd.exe 35 PID 584 wrote to memory of 900 584 cmd.exe 36 PID 584 wrote to memory of 900 584 cmd.exe 36 PID 584 wrote to memory of 900 584 cmd.exe 36 PID 584 wrote to memory of 900 584 cmd.exe 36 PID 584 wrote to memory of 900 584 cmd.exe 36 PID 584 wrote to memory of 900 584 cmd.exe 36 PID 584 wrote to memory of 900 584 cmd.exe 36 PID 952 wrote to memory of 896 952 do.exe 33 PID 952 wrote to memory of 896 952 do.exe 33 PID 952 wrote to memory of 896 952 do.exe 33 PID 952 wrote to memory of 896 952 do.exe 33 PID 952 wrote to memory of 896 952 do.exe 33 PID 952 wrote to memory of 896 952 do.exe 33 PID 952 wrote to memory of 896 952 do.exe 33 PID 952 wrote to memory of 1872 952 do.exe 38 PID 952 wrote to memory of 1872 952 do.exe 38 PID 952 wrote to memory of 1872 952 do.exe 38 PID 952 wrote to memory of 1872 952 do.exe 38 PID 952 wrote to memory of 1872 952 do.exe 38 PID 952 wrote to memory of 1872 952 do.exe 38 PID 952 wrote to memory of 1872 952 do.exe 38 PID 1872 wrote to memory of 648 1872 run.exe 39 PID 1872 wrote to memory of 648 1872 run.exe 39 PID 1872 wrote to memory of 648 1872 run.exe 39 PID 1872 wrote to memory of 648 1872 run.exe 39 PID 1872 wrote to memory of 648 1872 run.exe 39 PID 1872 wrote to memory of 648 1872 run.exe 39 PID 1872 wrote to memory of 648 1872 run.exe 39 PID 1872 wrote to memory of 1076 1872 run.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe"C:\Users\Admin\AppData\Local\Temp\79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\do.exe"C:\Users\Admin\AppData\Local\Temp\do.exe" ++++++++++eeyuckl.bat+++++setup.exe+++++run.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eeyuckl.bat" "3⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\chcp.comchcp 8664⤵PID:844
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "praetorian.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v init /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\do.exe\" eeyuckl.bat" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v init /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\do.exe\" eeyuckl.bat" /f4⤵
- Adds Run key to start application
PID:1652
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:896
-
-
C:\Users\Admin\AppData\Local\Temp\run.exe"C:\Users\Admin\AppData\Local\Temp\run.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\eC6AOi5jKK\csrss.exe"C:\Users\Admin\AppData\Local\Temp\eC6AOi5jKK\csrss.exe" open4⤵
- Executes dropped EXE
- Modifies Internet Explorer start page
PID:648
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 8 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\run.exe"4⤵PID:1076
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 85⤵
- Runs ping.exe
PID:1668
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD50bff3c03b40234362688e92c14e23ecf
SHA1ee591f8bc5f5b1140a1374cfb35e203e10e8264d
SHA256e1804ee6387dd6adf7301c911634806052012a4696a3e7d221c8a873c7b7a937
SHA512f188eca19ac1b32dda55fe736fe780cf7f052dc1738c13fd0125b2395e16a050518cddb9513884fd8a3045ddeef9408aa8b83826aa13c148ac7328e24bd15899
-
Filesize
24KB
MD5eb1de12a58da0bf15b8273b06f8eca48
SHA122964d6d42fe3ae5a96acd40b413db3b99f529b5
SHA2560fd16b475d18dff3dbf2da6af9350562c3a8bef50cc903c49f92eed3c6cf0031
SHA51210d258d85f7780a5b0822cea20b5c79d2ec48a6f5ed67f5b3f0e3abaf661996b461def94a27956d1f6cf26ad0025ddb4aaf784dcfd267d9779f08c2e90216b49
-
Filesize
285KB
MD58657aef0460f31f44db864b3f3a8522c
SHA1ed01bf1493bd186ac1fcd60ee4fd81c41182a78f
SHA256919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183
SHA51269c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22
-
Filesize
4KB
MD5c977033d1f8799fcd235db0d6bb39696
SHA176b87cd7564bea1efbbcb4df130db21ec410232b
SHA256a6edb44c3f59bbc53678bf7f3f7ad10155773967edd619f59cf63902aeb71a6d
SHA512c7fd7addea3899d19cb6e5857d5a741758bbc80795e670026ef8f66eecc5a64a47f5cceec88e6dbd8dbaa037ad1bbecd3b185e362f9c9af353a520d9ac2dbc3a
-
Filesize
285KB
MD58657aef0460f31f44db864b3f3a8522c
SHA1ed01bf1493bd186ac1fcd60ee4fd81c41182a78f
SHA256919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183
SHA51269c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22
-
Filesize
285KB
MD58657aef0460f31f44db864b3f3a8522c
SHA1ed01bf1493bd186ac1fcd60ee4fd81c41182a78f
SHA256919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183
SHA51269c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22
-
Filesize
5.0MB
MD5df06d6da9e8b53be359b89e568b53a10
SHA1e133bd9638bf02b239e760efd09778fa8951f486
SHA2563fe3ec648ed40c3a54cec81ef8f43d83043ebb2fb05d0d612cace86f2e35793e
SHA512799df79d12af224705dcf0d8a3f1cfc7a944b297ac04e84a6eb756a0a15b50a5bc294bd6141fc7f07d394cf69a906ff2adf16c0b625f1e1c89a51f9cbee28e79
-
Filesize
5.0MB
MD5df06d6da9e8b53be359b89e568b53a10
SHA1e133bd9638bf02b239e760efd09778fa8951f486
SHA2563fe3ec648ed40c3a54cec81ef8f43d83043ebb2fb05d0d612cace86f2e35793e
SHA512799df79d12af224705dcf0d8a3f1cfc7a944b297ac04e84a6eb756a0a15b50a5bc294bd6141fc7f07d394cf69a906ff2adf16c0b625f1e1c89a51f9cbee28e79
-
Filesize
6KB
MD50f038217abdedbc39352f97923c5d114
SHA1b170f89be4646babb1d7de49cd7cae28c98c23f1
SHA256ca27b0e02c2e5823225e812b284ed4d4435a96df7d3ec92fd6a139dd156e875f
SHA51221208a1e24cb012a581ee79c333b77740213881c4c24fd217f97a820fa049ad47ee21a7cc3e0e5678ccc7ebd6f75bf711c34e50f382cf49795b2989cd3a75ba6
-
Filesize
461B
MD5a836c22d773f81ff0542ea35a75800a6
SHA19bb459e08914ca093d848af5286cc819f5814c03
SHA256c9f99aaee65c9be36addbf99fc9c61eeba6e7c3ef2c822bf9ac38973801d05c3
SHA512ef781c7deea8f37937fee78873631456fcb09c6a55103a8063223398d9cedf8147087a0d4819c610257407ddc4027cacf80f2a6d15072b690c56cb4f8c25d24a
-
Filesize
24KB
MD5eb1de12a58da0bf15b8273b06f8eca48
SHA122964d6d42fe3ae5a96acd40b413db3b99f529b5
SHA2560fd16b475d18dff3dbf2da6af9350562c3a8bef50cc903c49f92eed3c6cf0031
SHA51210d258d85f7780a5b0822cea20b5c79d2ec48a6f5ed67f5b3f0e3abaf661996b461def94a27956d1f6cf26ad0025ddb4aaf784dcfd267d9779f08c2e90216b49
-
Filesize
24KB
MD5eb1de12a58da0bf15b8273b06f8eca48
SHA122964d6d42fe3ae5a96acd40b413db3b99f529b5
SHA2560fd16b475d18dff3dbf2da6af9350562c3a8bef50cc903c49f92eed3c6cf0031
SHA51210d258d85f7780a5b0822cea20b5c79d2ec48a6f5ed67f5b3f0e3abaf661996b461def94a27956d1f6cf26ad0025ddb4aaf784dcfd267d9779f08c2e90216b49
-
Filesize
285KB
MD58657aef0460f31f44db864b3f3a8522c
SHA1ed01bf1493bd186ac1fcd60ee4fd81c41182a78f
SHA256919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183
SHA51269c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22
-
Filesize
285KB
MD58657aef0460f31f44db864b3f3a8522c
SHA1ed01bf1493bd186ac1fcd60ee4fd81c41182a78f
SHA256919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183
SHA51269c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22
-
Filesize
285KB
MD58657aef0460f31f44db864b3f3a8522c
SHA1ed01bf1493bd186ac1fcd60ee4fd81c41182a78f
SHA256919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183
SHA51269c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22
-
Filesize
285KB
MD58657aef0460f31f44db864b3f3a8522c
SHA1ed01bf1493bd186ac1fcd60ee4fd81c41182a78f
SHA256919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183
SHA51269c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22
-
Filesize
5.0MB
MD5df06d6da9e8b53be359b89e568b53a10
SHA1e133bd9638bf02b239e760efd09778fa8951f486
SHA2563fe3ec648ed40c3a54cec81ef8f43d83043ebb2fb05d0d612cace86f2e35793e
SHA512799df79d12af224705dcf0d8a3f1cfc7a944b297ac04e84a6eb756a0a15b50a5bc294bd6141fc7f07d394cf69a906ff2adf16c0b625f1e1c89a51f9cbee28e79