Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 09:58
Behavioral task
behavioral1
Sample
c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Resource
win10v2004-20221111-en
General
-
Target
c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
-
Size
744KB
-
MD5
ec9b8f4b0af5befd5558ffeb0ecc88a6
-
SHA1
9bb0f2e8322288ed4e2612496d7de2340dcb5173
-
SHA256
c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d
-
SHA512
6cd1a68c677ecf120c023ed274cbf12977e86a1e593021964bbae51638b8daa71ee451ab859a7ca521a29f71706892549b1db2440f5f7cf21e0ec104cb4e4137
-
SSDEEP
12288:z8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixW:QUKoN0bUxgGa/pfBHDb+y1HgZ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\msdcsc.exe" c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe -
Executes dropped EXE 1 IoCs
pid Process 336 msdcsc.exe -
Deletes itself 1 IoCs
pid Process 516 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 336 set thread context of 1840 336 msdcsc.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1488 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeSecurityPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeTakeOwnershipPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeLoadDriverPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeSystemProfilePrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeSystemtimePrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeProfSingleProcessPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeIncBasePriorityPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeCreatePagefilePrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeBackupPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeRestorePrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeShutdownPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeDebugPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeSystemEnvironmentPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeChangeNotifyPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeRemoteShutdownPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeUndockPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeManageVolumePrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeImpersonatePrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeCreateGlobalPrivilege 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: 33 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: 34 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: 35 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe Token: SeIncreaseQuotaPrivilege 336 msdcsc.exe Token: SeSecurityPrivilege 336 msdcsc.exe Token: SeTakeOwnershipPrivilege 336 msdcsc.exe Token: SeLoadDriverPrivilege 336 msdcsc.exe Token: SeSystemProfilePrivilege 336 msdcsc.exe Token: SeSystemtimePrivilege 336 msdcsc.exe Token: SeProfSingleProcessPrivilege 336 msdcsc.exe Token: SeIncBasePriorityPrivilege 336 msdcsc.exe Token: SeCreatePagefilePrivilege 336 msdcsc.exe Token: SeBackupPrivilege 336 msdcsc.exe Token: SeRestorePrivilege 336 msdcsc.exe Token: SeShutdownPrivilege 336 msdcsc.exe Token: SeDebugPrivilege 336 msdcsc.exe Token: SeSystemEnvironmentPrivilege 336 msdcsc.exe Token: SeChangeNotifyPrivilege 336 msdcsc.exe Token: SeRemoteShutdownPrivilege 336 msdcsc.exe Token: SeUndockPrivilege 336 msdcsc.exe Token: SeManageVolumePrivilege 336 msdcsc.exe Token: SeImpersonatePrivilege 336 msdcsc.exe Token: SeCreateGlobalPrivilege 336 msdcsc.exe Token: 33 336 msdcsc.exe Token: 34 336 msdcsc.exe Token: 35 336 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1840 iexplore.exe Token: SeSecurityPrivilege 1840 iexplore.exe Token: SeTakeOwnershipPrivilege 1840 iexplore.exe Token: SeLoadDriverPrivilege 1840 iexplore.exe Token: SeSystemProfilePrivilege 1840 iexplore.exe Token: SeSystemtimePrivilege 1840 iexplore.exe Token: SeProfSingleProcessPrivilege 1840 iexplore.exe Token: SeIncBasePriorityPrivilege 1840 iexplore.exe Token: SeCreatePagefilePrivilege 1840 iexplore.exe Token: SeBackupPrivilege 1840 iexplore.exe Token: SeRestorePrivilege 1840 iexplore.exe Token: SeShutdownPrivilege 1840 iexplore.exe Token: SeDebugPrivilege 1840 iexplore.exe Token: SeSystemEnvironmentPrivilege 1840 iexplore.exe Token: SeChangeNotifyPrivilege 1840 iexplore.exe Token: SeRemoteShutdownPrivilege 1840 iexplore.exe Token: SeUndockPrivilege 1840 iexplore.exe Token: SeManageVolumePrivilege 1840 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1840 iexplore.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2008 wrote to memory of 516 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe 28 PID 2008 wrote to memory of 516 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe 28 PID 2008 wrote to memory of 516 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe 28 PID 2008 wrote to memory of 516 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe 28 PID 516 wrote to memory of 1488 516 cmd.exe 30 PID 516 wrote to memory of 1488 516 cmd.exe 30 PID 516 wrote to memory of 1488 516 cmd.exe 30 PID 516 wrote to memory of 1488 516 cmd.exe 30 PID 2008 wrote to memory of 336 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe 31 PID 2008 wrote to memory of 336 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe 31 PID 2008 wrote to memory of 336 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe 31 PID 2008 wrote to memory of 336 2008 c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe 31 PID 336 wrote to memory of 1840 336 msdcsc.exe 32 PID 336 wrote to memory of 1840 336 msdcsc.exe 32 PID 336 wrote to memory of 1840 336 msdcsc.exe 32 PID 336 wrote to memory of 1840 336 msdcsc.exe 32 PID 336 wrote to memory of 1840 336 msdcsc.exe 32 PID 336 wrote to memory of 1840 336 msdcsc.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe"C:\Users\Admin\AppData\Local\Temp\c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
- Runs ping.exe
PID:1488
-
-
-
C:\MSDCSC\msdcsc.exe"C:\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1840
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
744KB
MD5ec9b8f4b0af5befd5558ffeb0ecc88a6
SHA19bb0f2e8322288ed4e2612496d7de2340dcb5173
SHA256c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d
SHA5126cd1a68c677ecf120c023ed274cbf12977e86a1e593021964bbae51638b8daa71ee451ab859a7ca521a29f71706892549b1db2440f5f7cf21e0ec104cb4e4137
-
Filesize
744KB
MD5ec9b8f4b0af5befd5558ffeb0ecc88a6
SHA19bb0f2e8322288ed4e2612496d7de2340dcb5173
SHA256c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d
SHA5126cd1a68c677ecf120c023ed274cbf12977e86a1e593021964bbae51638b8daa71ee451ab859a7ca521a29f71706892549b1db2440f5f7cf21e0ec104cb4e4137
-
Filesize
744KB
MD5ec9b8f4b0af5befd5558ffeb0ecc88a6
SHA19bb0f2e8322288ed4e2612496d7de2340dcb5173
SHA256c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d
SHA5126cd1a68c677ecf120c023ed274cbf12977e86a1e593021964bbae51638b8daa71ee451ab859a7ca521a29f71706892549b1db2440f5f7cf21e0ec104cb4e4137
-
Filesize
744KB
MD5ec9b8f4b0af5befd5558ffeb0ecc88a6
SHA19bb0f2e8322288ed4e2612496d7de2340dcb5173
SHA256c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d
SHA5126cd1a68c677ecf120c023ed274cbf12977e86a1e593021964bbae51638b8daa71ee451ab859a7ca521a29f71706892549b1db2440f5f7cf21e0ec104cb4e4137