Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
226s -
max time network
333s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 14:35
Static task
static1
Behavioral task
behavioral1
Sample
c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
Resource
win10v2004-20220812-en
General
-
Target
c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe
-
Size
70KB
-
MD5
4a9e537690c47b80219ef48d07dfcd86
-
SHA1
2357224b7f59940c77015ca600e02615b5128cfc
-
SHA256
c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14
-
SHA512
55ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782
-
SSDEEP
768:QkpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvOR:tkQJcqwmIfj+ECJG/kvO
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
pid Process 896 wmimgmt.exe -
Loads dropped DLL 2 IoCs
pid Process 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts reg.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1872 tasklist.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 928 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1992 systeminfo.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeBackupPrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeRestorePrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeBackupPrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeBackupPrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeRestorePrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeBackupPrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeRestorePrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeBackupPrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeRestorePrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeBackupPrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeRestorePrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeBackupPrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeRestorePrivilege 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe Token: SeDebugPrivilege 1872 tasklist.exe Token: SeBackupPrivilege 896 wmimgmt.exe Token: SeBackupPrivilege 896 wmimgmt.exe Token: SeBackupPrivilege 896 wmimgmt.exe Token: SeBackupPrivilege 896 wmimgmt.exe Token: SeBackupPrivilege 896 wmimgmt.exe Token: SeBackupPrivilege 896 wmimgmt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 896 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe 28 PID 1940 wrote to memory of 896 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe 28 PID 1940 wrote to memory of 896 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe 28 PID 1940 wrote to memory of 896 1940 c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe 28 PID 896 wrote to memory of 1704 896 wmimgmt.exe 29 PID 896 wrote to memory of 1704 896 wmimgmt.exe 29 PID 896 wrote to memory of 1704 896 wmimgmt.exe 29 PID 896 wrote to memory of 1704 896 wmimgmt.exe 29 PID 1704 wrote to memory of 732 1704 cmd.exe 31 PID 1704 wrote to memory of 732 1704 cmd.exe 31 PID 1704 wrote to memory of 732 1704 cmd.exe 31 PID 1704 wrote to memory of 732 1704 cmd.exe 31 PID 1704 wrote to memory of 1468 1704 cmd.exe 32 PID 1704 wrote to memory of 1468 1704 cmd.exe 32 PID 1704 wrote to memory of 1468 1704 cmd.exe 32 PID 1704 wrote to memory of 1468 1704 cmd.exe 32 PID 1704 wrote to memory of 816 1704 cmd.exe 33 PID 1704 wrote to memory of 816 1704 cmd.exe 33 PID 1704 wrote to memory of 816 1704 cmd.exe 33 PID 1704 wrote to memory of 816 1704 cmd.exe 33 PID 816 wrote to memory of 300 816 net.exe 34 PID 816 wrote to memory of 300 816 net.exe 34 PID 816 wrote to memory of 300 816 net.exe 34 PID 816 wrote to memory of 300 816 net.exe 34 PID 1704 wrote to memory of 884 1704 cmd.exe 35 PID 1704 wrote to memory of 884 1704 cmd.exe 35 PID 1704 wrote to memory of 884 1704 cmd.exe 35 PID 1704 wrote to memory of 884 1704 cmd.exe 35 PID 884 wrote to memory of 620 884 net.exe 36 PID 884 wrote to memory of 620 884 net.exe 36 PID 884 wrote to memory of 620 884 net.exe 36 PID 884 wrote to memory of 620 884 net.exe 36 PID 1704 wrote to memory of 1872 1704 cmd.exe 37 PID 1704 wrote to memory of 1872 1704 cmd.exe 37 PID 1704 wrote to memory of 1872 1704 cmd.exe 37 PID 1704 wrote to memory of 1872 1704 cmd.exe 37 PID 1704 wrote to memory of 1992 1704 cmd.exe 39 PID 1704 wrote to memory of 1992 1704 cmd.exe 39 PID 1704 wrote to memory of 1992 1704 cmd.exe 39 PID 1704 wrote to memory of 1992 1704 cmd.exe 39 PID 1704 wrote to memory of 840 1704 cmd.exe 41 PID 1704 wrote to memory of 840 1704 cmd.exe 41 PID 1704 wrote to memory of 840 1704 cmd.exe 41 PID 1704 wrote to memory of 840 1704 cmd.exe 41 PID 1704 wrote to memory of 1516 1704 cmd.exe 42 PID 1704 wrote to memory of 1516 1704 cmd.exe 42 PID 1704 wrote to memory of 1516 1704 cmd.exe 42 PID 1704 wrote to memory of 1516 1704 cmd.exe 42 PID 1704 wrote to memory of 1712 1704 cmd.exe 43 PID 1704 wrote to memory of 1712 1704 cmd.exe 43 PID 1704 wrote to memory of 1712 1704 cmd.exe 43 PID 1704 wrote to memory of 1712 1704 cmd.exe 43 PID 1704 wrote to memory of 1564 1704 cmd.exe 44 PID 1704 wrote to memory of 1564 1704 cmd.exe 44 PID 1704 wrote to memory of 1564 1704 cmd.exe 44 PID 1704 wrote to memory of 1564 1704 cmd.exe 44 PID 1704 wrote to memory of 1284 1704 cmd.exe 45 PID 1704 wrote to memory of 1284 1704 cmd.exe 45 PID 1704 wrote to memory of 1284 1704 cmd.exe 45 PID 1704 wrote to memory of 1284 1704 cmd.exe 45 PID 1704 wrote to memory of 1604 1704 cmd.exe 46 PID 1704 wrote to memory of 1604 1704 cmd.exe 46 PID 1704 wrote to memory of 1604 1704 cmd.exe 46 PID 1704 wrote to memory of 1604 1704 cmd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe"C:\Users\Admin\AppData\Local\Temp\c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵PID:732
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵PID:1468
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵PID:300
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:620
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:1992
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵PID:840
-
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵PID:1516
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵PID:1712
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵PID:1564
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵PID:1284
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵PID:1604
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵PID:1520
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵PID:2008
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵PID:564
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s4⤵PID:1652
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s4⤵
- Accesses Microsoft Outlook accounts
PID:1028
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s4⤵PID:892
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s4⤵PID:792
-
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵PID:1540
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵PID:1360
-
-
-
C:\Windows\SysWOW64\net.exenet user Admin /domain4⤵PID:1412
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /domain5⤵PID:1740
-
-
-
C:\Windows\SysWOW64\net.exenet group4⤵PID:2036
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group5⤵PID:1612
-
-
-
C:\Windows\SysWOW64\net.exenet group /domain4⤵PID:944
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group /domain5⤵PID:816
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins"4⤵PID:1368
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins"5⤵PID:884
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵PID:740
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵PID:1228
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers"4⤵PID:1736
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers"5⤵PID:1616
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers" /domain4⤵PID:1508
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers" /domain5⤵PID:1992
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers"4⤵PID:1516
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers"5⤵PID:1712
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers" /domain4⤵PID:1596
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers" /domain5⤵PID:1560
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:928
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD54a9e537690c47b80219ef48d07dfcd86
SHA12357224b7f59940c77015ca600e02615b5128cfc
SHA256c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14
SHA51255ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782
-
Filesize
70KB
MD54a9e537690c47b80219ef48d07dfcd86
SHA12357224b7f59940c77015ca600e02615b5128cfc
SHA256c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14
SHA51255ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782
-
Filesize
49B
MD55e4d7b79ea0658b667c35146ae177b94
SHA12b2d107a5f5620ec36bad720ac0783939aeb437d
SHA256659963ec47461993584e081568c2a9a21705b7180da9d4c9ca7c3dfdc7ad8c33
SHA512ce163c916598c53192cabde8643d1c9bd910d3b7b113b3a15ee924fa03a5f0ee9f5c078adaad60053db000e7b2872c499dc58e250d95adebe9244489044e6d32
-
Filesize
4KB
MD5b91bc08162fbc3445c5424b77183b807
SHA152b2a60db40cdcc655648a65210ed26219c033e1
SHA2567cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a
SHA5122f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35
-
Filesize
70KB
MD54a9e537690c47b80219ef48d07dfcd86
SHA12357224b7f59940c77015ca600e02615b5128cfc
SHA256c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14
SHA51255ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782
-
Filesize
70KB
MD54a9e537690c47b80219ef48d07dfcd86
SHA12357224b7f59940c77015ca600e02615b5128cfc
SHA256c6d330ac8af0cd12af96411868f7a2a12bc38abb6b184543ca13d89afdb57b14
SHA51255ec63e95f7760bd313395e32bae7ed9e7475a0e7e39f5d08b255c6ffd71f2afddaaa27fd38c70f53d90b2ab628fa4ca74d3ab736dc82aa992431d80744b7782