Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 14:42
Static task
static1
Behavioral task
behavioral1
Sample
855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe
Resource
win10v2004-20221111-en
General
-
Target
855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe
-
Size
662KB
-
MD5
c6b01a57eb53feea05cbab7c1fc39c03
-
SHA1
2ad9c7719783498514e712e450a0adaf60d09e6d
-
SHA256
855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397
-
SHA512
e576d0e5f32662bae817148dad9a7bce43ec971875924286c26c2b7745adec73c63976696545884640c7c8844274215bde3b80f7d692ef55f2914701d12daac7
-
SSDEEP
12288:4ZoiuvhPq6VHX/wuoVjGFrGzcY7Vr8bBTgF3Z4mxxbgRoM9KkONLha4nfKE:cPuvhy61DFNY7R8bBgQmXbgOoGLPfKE
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2008 Server.exe 1488 Hacker.com.cn.exe -
resource yara_rule behavioral1/files/0x000a000000014b75-56.dat upx behavioral1/files/0x000a000000014b75-57.dat upx behavioral1/files/0x000a000000014b75-59.dat upx behavioral1/memory/2008-62-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/files/0x000a000000014b75-63.dat upx behavioral1/files/0x0008000000014d16-64.dat upx behavioral1/files/0x0008000000014d16-66.dat upx behavioral1/memory/2008-68-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/1488-70-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral1/memory/1488-72-0x0000000000400000-0x00000000004C8000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 784 855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe 784 855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Hacker.com.cn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Hacker.com.cn.exe Server.exe File opened for modification C:\Windows\Hacker.com.cn.exe Server.exe File created C:\Windows\uninstal.bat Server.exe -
Modifies data under HKEY_USERS 28 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf\WpadDecisionTime = 80b2a14a6307d901 Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\WpadNetworkName = "Network 3" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf\WpadDecisionTime = c083f2156307d901 Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf\WpadDecisionReason = "1" Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C} Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\7a-76-83-60-f3-cf Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\WpadDecisionTime = c083f2156307d901 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\WpadDecision = "0" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0083000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf\WpadDecision = "0" Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf\WpadDetectedUrl Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C658C486-C8CD-4B32-8C71-E3A2DCA9AC3C}\WpadDecisionTime = 80b2a14a6307d901 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-76-83-60-f3-cf Hacker.com.cn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0083000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Hacker.com.cn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Hacker.com.cn.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Hacker.com.cn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2008 Server.exe Token: SeDebugPrivilege 1488 Hacker.com.cn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1488 Hacker.com.cn.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 784 wrote to memory of 2008 784 855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe 26 PID 784 wrote to memory of 2008 784 855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe 26 PID 784 wrote to memory of 2008 784 855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe 26 PID 784 wrote to memory of 2008 784 855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe 26 PID 1488 wrote to memory of 1732 1488 Hacker.com.cn.exe 28 PID 1488 wrote to memory of 1732 1488 Hacker.com.cn.exe 28 PID 1488 wrote to memory of 1732 1488 Hacker.com.cn.exe 28 PID 1488 wrote to memory of 1732 1488 Hacker.com.cn.exe 28 PID 2008 wrote to memory of 1724 2008 Server.exe 29 PID 2008 wrote to memory of 1724 2008 Server.exe 29 PID 2008 wrote to memory of 1724 2008 Server.exe 29 PID 2008 wrote to memory of 1724 2008 Server.exe 29 PID 2008 wrote to memory of 1724 2008 Server.exe 29 PID 2008 wrote to memory of 1724 2008 Server.exe 29 PID 2008 wrote to memory of 1724 2008 Server.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe"C:\Users\Admin\AppData\Local\Temp\855d15ca33165883c5fcea4389dd2aa08229ded0d6f63442b98d874e9190a397.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\uninstal.bat3⤵PID:1724
-
-
-
C:\Windows\Hacker.com.cn.exeC:\Windows\Hacker.com.cn.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1732
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
295KB
MD5620acaa531c9ed2e93d57bb02a49d463
SHA1b81fe0a9a1c49c7fdbc28d131500746eb8715b13
SHA2565c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e
SHA5124ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99
-
Filesize
295KB
MD5620acaa531c9ed2e93d57bb02a49d463
SHA1b81fe0a9a1c49c7fdbc28d131500746eb8715b13
SHA2565c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e
SHA5124ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99
-
Filesize
295KB
MD5620acaa531c9ed2e93d57bb02a49d463
SHA1b81fe0a9a1c49c7fdbc28d131500746eb8715b13
SHA2565c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e
SHA5124ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99
-
Filesize
295KB
MD5620acaa531c9ed2e93d57bb02a49d463
SHA1b81fe0a9a1c49c7fdbc28d131500746eb8715b13
SHA2565c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e
SHA5124ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99
-
Filesize
160B
MD569e01c599950b5caf5cd7ec972f89682
SHA12d34ceced77c1f86417c00f706e06cc902b11e3b
SHA256b46da5e666a34856e6f9763f5bef2a4879b4d33f42ea1727be44a84e76fc8e5e
SHA51248acf4f4b87eb21a255003a18ed572efb78d5c3ad90b4529bbb16dd32b53142c8f08fe4f567d29115e2ac1fb543f71c1b9ac3dc79cc14afda84c67f72ff11ba9
-
Filesize
295KB
MD5620acaa531c9ed2e93d57bb02a49d463
SHA1b81fe0a9a1c49c7fdbc28d131500746eb8715b13
SHA2565c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e
SHA5124ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99
-
Filesize
295KB
MD5620acaa531c9ed2e93d57bb02a49d463
SHA1b81fe0a9a1c49c7fdbc28d131500746eb8715b13
SHA2565c4039b1e72cf53919f990f43d2abfebc19a2282427b8a7b9fe73cb605a18d7e
SHA5124ba70bde353f8636cf65f613fb55eac27b16c0fdca5ee44a6f241e22beb511d79c2c763cdd7230b032b077e41a6a08144e6ff54818db3db8e8c34e8e2595ee99