Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
114s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 04:47
Static task
static1
Behavioral task
behavioral1
Sample
cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe
Resource
win10v2004-20220901-en
General
-
Target
cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe
-
Size
242KB
-
MD5
fe4311b404e699859ea561e5feb3e10e
-
SHA1
22556f60a83fd9db90f3b5b90daf890e1ae2b806
-
SHA256
cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b
-
SHA512
f540b6f44103a7e217fe2bf2d7a3159cf8b3241b890f8bd1571622b3508c66c1362b93044c0e66af5715d3aada720139c628dd0f5480fe31969156db29e458eb
-
SSDEEP
3072:FOWyECwLDiiviXUPbvSCl9PxHi7lkm6ZX8PwX6xO/FLZ+M7cestqkec/H0pJ8mf1:FuzwLDnSMbxZHIOX84Kxat+MYJP/l+1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 912 rufi.exe -
Deletes itself 1 IoCs
pid Process 1632 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run rufi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run rufi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Efqiul = "C:\\Users\\Admin\\AppData\\Roaming\\Ifgiy\\rufi.exe" rufi.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1832 set thread context of 1632 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 28 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\6B290672-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe 912 rufi.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeSecurityPrivilege 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe Token: SeSecurityPrivilege 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe Token: SeSecurityPrivilege 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe Token: SeSecurityPrivilege 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe Token: SeSecurityPrivilege 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe Token: SeSecurityPrivilege 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe Token: SeSecurityPrivilege 1632 cmd.exe Token: SeSecurityPrivilege 1632 cmd.exe Token: SeSecurityPrivilege 1632 cmd.exe Token: SeSecurityPrivilege 1632 cmd.exe Token: SeSecurityPrivilege 1632 cmd.exe Token: SeSecurityPrivilege 1632 cmd.exe Token: SeSecurityPrivilege 1632 cmd.exe Token: SeManageVolumePrivilege 1144 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1144 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1144 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1144 WinMail.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1832 wrote to memory of 912 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 27 PID 1832 wrote to memory of 912 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 27 PID 1832 wrote to memory of 912 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 27 PID 1832 wrote to memory of 912 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 27 PID 912 wrote to memory of 1256 912 rufi.exe 19 PID 912 wrote to memory of 1256 912 rufi.exe 19 PID 912 wrote to memory of 1256 912 rufi.exe 19 PID 912 wrote to memory of 1256 912 rufi.exe 19 PID 912 wrote to memory of 1256 912 rufi.exe 19 PID 912 wrote to memory of 1340 912 rufi.exe 18 PID 912 wrote to memory of 1340 912 rufi.exe 18 PID 912 wrote to memory of 1340 912 rufi.exe 18 PID 912 wrote to memory of 1340 912 rufi.exe 18 PID 912 wrote to memory of 1340 912 rufi.exe 18 PID 912 wrote to memory of 1384 912 rufi.exe 17 PID 912 wrote to memory of 1384 912 rufi.exe 17 PID 912 wrote to memory of 1384 912 rufi.exe 17 PID 912 wrote to memory of 1384 912 rufi.exe 17 PID 912 wrote to memory of 1384 912 rufi.exe 17 PID 912 wrote to memory of 1832 912 rufi.exe 25 PID 912 wrote to memory of 1832 912 rufi.exe 25 PID 912 wrote to memory of 1832 912 rufi.exe 25 PID 912 wrote to memory of 1832 912 rufi.exe 25 PID 912 wrote to memory of 1832 912 rufi.exe 25 PID 1832 wrote to memory of 1632 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 28 PID 1832 wrote to memory of 1632 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 28 PID 1832 wrote to memory of 1632 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 28 PID 1832 wrote to memory of 1632 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 28 PID 1832 wrote to memory of 1632 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 28 PID 1832 wrote to memory of 1632 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 28 PID 1832 wrote to memory of 1632 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 28 PID 1832 wrote to memory of 1632 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 28 PID 1832 wrote to memory of 1632 1832 cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe 28 PID 912 wrote to memory of 872 912 rufi.exe 29 PID 912 wrote to memory of 872 912 rufi.exe 29 PID 912 wrote to memory of 872 912 rufi.exe 29 PID 912 wrote to memory of 872 912 rufi.exe 29 PID 912 wrote to memory of 872 912 rufi.exe 29 PID 912 wrote to memory of 2012 912 rufi.exe 30 PID 912 wrote to memory of 2012 912 rufi.exe 30 PID 912 wrote to memory of 2012 912 rufi.exe 30 PID 912 wrote to memory of 2012 912 rufi.exe 30 PID 912 wrote to memory of 2012 912 rufi.exe 30 PID 912 wrote to memory of 1144 912 rufi.exe 31 PID 912 wrote to memory of 1144 912 rufi.exe 31 PID 912 wrote to memory of 1144 912 rufi.exe 31 PID 912 wrote to memory of 1144 912 rufi.exe 31 PID 912 wrote to memory of 1144 912 rufi.exe 31 PID 912 wrote to memory of 1108 912 rufi.exe 32 PID 912 wrote to memory of 1108 912 rufi.exe 32 PID 912 wrote to memory of 1108 912 rufi.exe 32 PID 912 wrote to memory of 1108 912 rufi.exe 32 PID 912 wrote to memory of 1108 912 rufi.exe 32 PID 912 wrote to memory of 752 912 rufi.exe 33 PID 912 wrote to memory of 752 912 rufi.exe 33 PID 912 wrote to memory of 752 912 rufi.exe 33 PID 912 wrote to memory of 752 912 rufi.exe 33 PID 912 wrote to memory of 752 912 rufi.exe 33 PID 912 wrote to memory of 1004 912 rufi.exe 34 PID 912 wrote to memory of 1004 912 rufi.exe 34 PID 912 wrote to memory of 1004 912 rufi.exe 34 PID 912 wrote to memory of 1004 912 rufi.exe 34 PID 912 wrote to memory of 1004 912 rufi.exe 34 PID 912 wrote to memory of 836 912 rufi.exe 35
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe"C:\Users\Admin\AppData\Local\Temp\cc4c5ce07f26dfd38a4dcc21e591c8ab6bdad9884959d2484ea0a8eab46e865b.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Roaming\Ifgiy\rufi.exe"C:\Users\Admin\AppData\Roaming\Ifgiy\rufi.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0ef99324.bat"3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1340
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1256
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "343020632-785470017-15358480201065781552-1115254160-1389585127-1486184166-1436803432"1⤵PID:872
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2012
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1144
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1108
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:752
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1004
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:836
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1728
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307B
MD5bbd213c55c44435e287761b9e40fb55c
SHA16fd14a584ef0839cd1228483c35d3084a63451b1
SHA256e8182e7d64466e1479f5fa4cf75c603acbb5b337d4ee0ee4198e54edc4bd5fc3
SHA5127cb673c8de9061d0c59430e1720af2ca0ef0114307778e910be35e3127b037db8e09854b24aa35a166b5c8e78da010c633333e1e71c6116feaa0e25c733532b9
-
Filesize
242KB
MD535a43546267ed7b6cd863c6528fb9a16
SHA1f93b56d4c2c7246a75ab987c0a50f63a48dc7660
SHA256087396a04a40a9bbfe3e5f2d6ada8286f00fff0b618f806df1ab61c9a2304f53
SHA512631d389c89e8539c7fb7eb7deb59cf43863e64b0bf2238db9781f23bd06d5a22fb8c36fa34903b1f8e6b8a5a51451520c6ed528d1c467300e78759a8ab9c2ebd
-
Filesize
242KB
MD535a43546267ed7b6cd863c6528fb9a16
SHA1f93b56d4c2c7246a75ab987c0a50f63a48dc7660
SHA256087396a04a40a9bbfe3e5f2d6ada8286f00fff0b618f806df1ab61c9a2304f53
SHA512631d389c89e8539c7fb7eb7deb59cf43863e64b0bf2238db9781f23bd06d5a22fb8c36fa34903b1f8e6b8a5a51451520c6ed528d1c467300e78759a8ab9c2ebd
-
Filesize
4KB
MD51f981c6e8956ad4eaac92a1398e05ae2
SHA17bca7f1a92c4e1852ae161ebda6f257ca0940d48
SHA2560471826c4952279ae8a5d26c85cea3491d00794e8c0bf59fd148e1b43622f18b
SHA512c830b9252a62bc061b856baf0559ca8086f369fc2c775991a0d918b5d899bc2bfe5b477ce4a4a7eb349685a02b7f54d5c88d7da4bb6c134e6fd0154067dec1e7
-
Filesize
242KB
MD535a43546267ed7b6cd863c6528fb9a16
SHA1f93b56d4c2c7246a75ab987c0a50f63a48dc7660
SHA256087396a04a40a9bbfe3e5f2d6ada8286f00fff0b618f806df1ab61c9a2304f53
SHA512631d389c89e8539c7fb7eb7deb59cf43863e64b0bf2238db9781f23bd06d5a22fb8c36fa34903b1f8e6b8a5a51451520c6ed528d1c467300e78759a8ab9c2ebd
-
Filesize
242KB
MD535a43546267ed7b6cd863c6528fb9a16
SHA1f93b56d4c2c7246a75ab987c0a50f63a48dc7660
SHA256087396a04a40a9bbfe3e5f2d6ada8286f00fff0b618f806df1ab61c9a2304f53
SHA512631d389c89e8539c7fb7eb7deb59cf43863e64b0bf2238db9781f23bd06d5a22fb8c36fa34903b1f8e6b8a5a51451520c6ed528d1c467300e78759a8ab9c2ebd