Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe
Resource
win7-20220812-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe
-
Size
288KB
-
MD5
51ad8a661f099f67c9da952936065544
-
SHA1
629b12f3ea32b4bd4aca247527b71f5b74335cf9
-
SHA256
c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c
-
SHA512
56a0471a63f2558dcc6643933b6739af7b34ae73ee040a8fdea33416e4ff015a3da0259371d3ea4c6f289c34629060ad23e0d9741d87a10362281cf2aae81581
-
SSDEEP
6144:hzi7QZJReclOa+8/iNoC8r6axpu4+pVRo8X1NL:hzsaJReclOwiWvuxVRo8ll
Score
10/10
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 17 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\Content Type = "application/x-msdownload" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\ = "Application" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\DefaultIcon\ = "%1" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\DefaultIcon kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\kmb.exe\" -a \"%1\" %*" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start kmb.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1988 kmb.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 1988 kmb.exe -
Loads dropped DLL 2 IoCs
pid Process 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run kmb.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Modifies registry class 41 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" kmb.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\ = "Application" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\Content Type = "application/x-msdownload" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\DefaultIcon\ = "%1" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\DefaultIcon kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\runas kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\runas\command kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\DefaultIcon kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\start kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\ = "exefile" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\Content Type = "application/x-msdownload" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\open kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\kmb.exe\" -a \"%1\" %*" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\start\command kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command kmb.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\open\command kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start kmb.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\DefaultIcon\ = "%1" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" kmb.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\kmb.exe\" -a \"%1\" %*" kmb.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 1988 kmb.exe 1988 kmb.exe 1988 kmb.exe 1988 kmb.exe 1988 kmb.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: 33 1352 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1352 AUDIODG.EXE Token: 33 1352 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1352 AUDIODG.EXE Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe Token: SeShutdownPrivilege 1708 explorer.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1988 kmb.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1988 kmb.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 1988 kmb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 784 wrote to memory of 1988 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 26 PID 784 wrote to memory of 1988 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 26 PID 784 wrote to memory of 1988 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 26 PID 784 wrote to memory of 1988 784 c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe"C:\Users\Admin\AppData\Local\Temp\c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\AppData\Local\kmb.exe"C:\Users\Admin\AppData\Local\kmb.exe" -gav C:\Users\Admin\AppData\Local\Temp\c345188068f9782668cbaa5ab96e709755dc9a71d3007c0b36c92ddf832b8d3c.exe2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1988
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1708
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4d81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5d7058298ed4e2af78254ddc2935395ff
SHA11e76fbd764255d662f295df2b38d9b33cd3d3c14
SHA256f438dadeb46b67ccc82f72ffe34f59ce82a65f115eec39e3826a83c0960ba9c3
SHA5126267ec1a5debe08e8986f3c04f99966729630fb5a12608976fa5c233927a67885390c5504a411f0cb52e4aa86293da7af2e9e7889d4334e931aa522f1526e20d
-
Filesize
288KB
MD5d7058298ed4e2af78254ddc2935395ff
SHA11e76fbd764255d662f295df2b38d9b33cd3d3c14
SHA256f438dadeb46b67ccc82f72ffe34f59ce82a65f115eec39e3826a83c0960ba9c3
SHA5126267ec1a5debe08e8986f3c04f99966729630fb5a12608976fa5c233927a67885390c5504a411f0cb52e4aa86293da7af2e9e7889d4334e931aa522f1526e20d
-
Filesize
288KB
MD5d7058298ed4e2af78254ddc2935395ff
SHA11e76fbd764255d662f295df2b38d9b33cd3d3c14
SHA256f438dadeb46b67ccc82f72ffe34f59ce82a65f115eec39e3826a83c0960ba9c3
SHA5126267ec1a5debe08e8986f3c04f99966729630fb5a12608976fa5c233927a67885390c5504a411f0cb52e4aa86293da7af2e9e7889d4334e931aa522f1526e20d
-
Filesize
288KB
MD5d7058298ed4e2af78254ddc2935395ff
SHA11e76fbd764255d662f295df2b38d9b33cd3d3c14
SHA256f438dadeb46b67ccc82f72ffe34f59ce82a65f115eec39e3826a83c0960ba9c3
SHA5126267ec1a5debe08e8986f3c04f99966729630fb5a12608976fa5c233927a67885390c5504a411f0cb52e4aa86293da7af2e9e7889d4334e931aa522f1526e20d