Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 19:34
Static task
static1
Behavioral task
behavioral1
Sample
adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f.dll
Resource
win10v2004-20220812-en
General
-
Target
adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f.dll
-
Size
23KB
-
MD5
59856d1926c9f4846cc4efeac492acae
-
SHA1
1cdc90969c610d9bf036a91e7ebfb878915f2664
-
SHA256
adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f
-
SHA512
e40097ec7dd46d404eb333d2d99d74a42a5cf1dd35bd5e4656d8ab4891bd54e7b47d435b18f21ed9108ee61ae9d597bb3e8fcc48088dab78a264e45a53dc784e
-
SSDEEP
384:pYIp8RA0nHWX2I/LuE1iOLSgHu0OtjryMu2iFoNTlpRSIUtLDRw9s:p5qAEQuE1XLSgHV2jryMCmBpnYL12
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "%SystemRoot%\\System32\\winmide32.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "%SystemRoot%\\System32\\winmide32.dll" svchost.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 1108 svchost.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\wins\wins.lib rundll32.exe File created C:\Windows\SysWOW64\winmide32.dll svchost.exe File created C:\Windows\SysWOW64\wins\wins.lib svchost.exe File created C:\Windows\SysWOW64\winmide32.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\winmide32.dll rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe 1108 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1108 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 688 1520 rundll32.exe 28 PID 1520 wrote to memory of 688 1520 rundll32.exe 28 PID 1520 wrote to memory of 688 1520 rundll32.exe 28 PID 1520 wrote to memory of 688 1520 rundll32.exe 28 PID 1520 wrote to memory of 688 1520 rundll32.exe 28 PID 1520 wrote to memory of 688 1520 rundll32.exe 28 PID 1520 wrote to memory of 688 1520 rundll32.exe 28 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25 PID 1108 wrote to memory of 336 1108 svchost.exe 25
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f.dll,#12⤵
- Sets DLL path for service in the registry
- Sets service image path in registry
- Drops file in System32 directory
PID:688
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD559856d1926c9f4846cc4efeac492acae
SHA11cdc90969c610d9bf036a91e7ebfb878915f2664
SHA256adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f
SHA512e40097ec7dd46d404eb333d2d99d74a42a5cf1dd35bd5e4656d8ab4891bd54e7b47d435b18f21ed9108ee61ae9d597bb3e8fcc48088dab78a264e45a53dc784e
-
Filesize
23KB
MD559856d1926c9f4846cc4efeac492acae
SHA11cdc90969c610d9bf036a91e7ebfb878915f2664
SHA256adddfe33c6f6b1201aeac2907d07f777502398991c858b959d8309df337d2c0f
SHA512e40097ec7dd46d404eb333d2d99d74a42a5cf1dd35bd5e4656d8ab4891bd54e7b47d435b18f21ed9108ee61ae9d597bb3e8fcc48088dab78a264e45a53dc784e