Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 05:01
Static task
static1
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20220901-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
Server.exe
-
Size
742KB
-
MD5
546957b760a3c3d6a2b6810320046cef
-
SHA1
d2ad30ec9b63aef4610188b4720067a3add6345c
-
SHA256
9b47cbacf3a0d3543c85f1c349e4a15793c41d29ce4d113a547b05b4c64aaea1
-
SHA512
585115e482a7cfa13165392ff387ad85eff2a47aacb442f844d173aaa2430434671a293d3278c061bbee077a6786d2ee5c7c9c73fa1d0fc047d165df0279d9dd
-
SSDEEP
12288:4RyTY+2U4uan/8RdW5A0zyxuJwQ5oAlK+Gx9vZuIkAbQQ52LYRg08y5rDRp:86iU4ucwdW5A2RJr/k39vcIkA33P
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1080 Hacker.com.cn.exe -
Deletes itself 1 IoCs
pid Process 1776 cmd.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\OOLKP82U.txt Hacker.com.cn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\OOLKP82U.txt Hacker.com.cn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 Hacker.com.cn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273 Hacker.com.cn.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\HB7XYGBR.txt Hacker.com.cn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\HB7XYGBR.txt Hacker.com.cn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Hacker.com.cn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 Hacker.com.cn.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273 Hacker.com.cn.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\pRogram Files\Hacker.com.cn.exe Server.exe File opened for modification C:\pRogram Files\Hacker.com.cn.exe Server.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\uninstal.BAT Server.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-d8-5c-a7-f4-67 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427} Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427}\WpadDecision = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427}\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427}\WpadNetworkName = "Network 2" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-d8-5c-a7-f4-67\WpadDecision = "0" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427}\WpadDecisionTime = 10e55e01f606d901 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-d8-5c-a7-f4-67\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-d8-5c-a7-f4-67\WpadDecisionTime = 10e55e01f606d901 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780167D9-F59A-4A45-B4ED-2AB847174427}\72-d8-5c-a7-f4-67 Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1292 Server.exe Token: SeDebugPrivilege 1080 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1080 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1292 wrote to memory of 1776 1292 Server.exe 28 PID 1292 wrote to memory of 1776 1292 Server.exe 28 PID 1292 wrote to memory of 1776 1292 Server.exe 28 PID 1292 wrote to memory of 1776 1292 Server.exe 28 PID 1292 wrote to memory of 1776 1292 Server.exe 28 PID 1292 wrote to memory of 1776 1292 Server.exe 28 PID 1292 wrote to memory of 1776 1292 Server.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.BAT2⤵
- Deletes itself
PID:1776
-
-
C:\pRogram Files\Hacker.com.cn.exe"C:\pRogram Files\Hacker.com.cn.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1080
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
742KB
MD5546957b760a3c3d6a2b6810320046cef
SHA1d2ad30ec9b63aef4610188b4720067a3add6345c
SHA2569b47cbacf3a0d3543c85f1c349e4a15793c41d29ce4d113a547b05b4c64aaea1
SHA512585115e482a7cfa13165392ff387ad85eff2a47aacb442f844d173aaa2430434671a293d3278c061bbee077a6786d2ee5c7c9c73fa1d0fc047d165df0279d9dd
-
Filesize
138B
MD56eb475c6df56df79d4d4efb8d8af828a
SHA1d3e0ee51bd87f3688b34bfaa8b017446b08e758c
SHA256fafc571285bddaf3e1a3562b4d9691f68e8f5f00e59191d791949a1301920a9e
SHA5126d00694c7f1cbac8776143f08145a42a48cfbe352168739b29d9ccea4025609bc97751836234d952eceed961f6bc2872434a41968365a0e631b39e6b2bdbc2dd
-
Filesize
742KB
MD5546957b760a3c3d6a2b6810320046cef
SHA1d2ad30ec9b63aef4610188b4720067a3add6345c
SHA2569b47cbacf3a0d3543c85f1c349e4a15793c41d29ce4d113a547b05b4c64aaea1
SHA512585115e482a7cfa13165392ff387ad85eff2a47aacb442f844d173aaa2430434671a293d3278c061bbee077a6786d2ee5c7c9c73fa1d0fc047d165df0279d9dd