Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 01:55
Static task
static1
Behavioral task
behavioral1
Sample
c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966.dll
Resource
win10v2004-20220901-en
General
-
Target
c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966.dll
-
Size
472KB
-
MD5
eeaac30a1688f59236aa5127644d6cc0
-
SHA1
61008c2b82ea846993d526daa0e85981b0583239
-
SHA256
c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966
-
SHA512
21ae16d90248bcd8a94a4953661b86346c9daaaf63e71afbbd6bc600e040630bedca40620e9449b423f7c72e6fa52ae69fd0156109a985991b62b54dbd3c1bcb
-
SSDEEP
12288:jehnaNPpSVZmNxRCwnwm3W3OHIIf53VO:jeh0PpS6NxNnwYeOHXD
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2040 rundll32Srv.exe 436 WaterMark.exe -
resource yara_rule behavioral1/files/0x000b00000001232f-56.dat upx behavioral1/files/0x000b00000001232f-57.dat upx behavioral1/files/0x000b00000001232f-59.dat upx behavioral1/memory/2040-65-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/files/0x000b00000001232f-63.dat upx behavioral1/files/0x0008000000012750-66.dat upx behavioral1/files/0x0008000000012750-67.dat upx behavioral1/files/0x0008000000012750-69.dat upx behavioral1/files/0x0008000000012750-70.dat upx behavioral1/memory/436-80-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/436-215-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1652 rundll32.exe 1652 rundll32.exe 2040 rundll32Srv.exe 2040 rundll32Srv.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px13D0.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32Srv.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1188 1652 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 436 WaterMark.exe 436 WaterMark.exe 436 WaterMark.exe 436 WaterMark.exe 436 WaterMark.exe 436 WaterMark.exe 436 WaterMark.exe 436 WaterMark.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe 1680 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1188 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 436 WaterMark.exe Token: SeDebugPrivilege 1680 svchost.exe Token: SeDebugPrivilege 1652 rundll32.exe Token: SeDebugPrivilege 1188 WerFault.exe Token: SeDebugPrivilege 436 WaterMark.exe Token: SeDebugPrivilege 2036 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1320 wrote to memory of 1652 1320 rundll32.exe 28 PID 1320 wrote to memory of 1652 1320 rundll32.exe 28 PID 1320 wrote to memory of 1652 1320 rundll32.exe 28 PID 1320 wrote to memory of 1652 1320 rundll32.exe 28 PID 1320 wrote to memory of 1652 1320 rundll32.exe 28 PID 1320 wrote to memory of 1652 1320 rundll32.exe 28 PID 1320 wrote to memory of 1652 1320 rundll32.exe 28 PID 1652 wrote to memory of 2040 1652 rundll32.exe 29 PID 1652 wrote to memory of 2040 1652 rundll32.exe 29 PID 1652 wrote to memory of 2040 1652 rundll32.exe 29 PID 1652 wrote to memory of 2040 1652 rundll32.exe 29 PID 1652 wrote to memory of 1188 1652 rundll32.exe 30 PID 1652 wrote to memory of 1188 1652 rundll32.exe 30 PID 1652 wrote to memory of 1188 1652 rundll32.exe 30 PID 1652 wrote to memory of 1188 1652 rundll32.exe 30 PID 2040 wrote to memory of 436 2040 rundll32Srv.exe 31 PID 2040 wrote to memory of 436 2040 rundll32Srv.exe 31 PID 2040 wrote to memory of 436 2040 rundll32Srv.exe 31 PID 2040 wrote to memory of 436 2040 rundll32Srv.exe 31 PID 436 wrote to memory of 2036 436 WaterMark.exe 32 PID 436 wrote to memory of 2036 436 WaterMark.exe 32 PID 436 wrote to memory of 2036 436 WaterMark.exe 32 PID 436 wrote to memory of 2036 436 WaterMark.exe 32 PID 436 wrote to memory of 2036 436 WaterMark.exe 32 PID 436 wrote to memory of 2036 436 WaterMark.exe 32 PID 436 wrote to memory of 2036 436 WaterMark.exe 32 PID 436 wrote to memory of 2036 436 WaterMark.exe 32 PID 436 wrote to memory of 2036 436 WaterMark.exe 32 PID 436 wrote to memory of 2036 436 WaterMark.exe 32 PID 436 wrote to memory of 1680 436 WaterMark.exe 33 PID 436 wrote to memory of 1680 436 WaterMark.exe 33 PID 436 wrote to memory of 1680 436 WaterMark.exe 33 PID 436 wrote to memory of 1680 436 WaterMark.exe 33 PID 436 wrote to memory of 1680 436 WaterMark.exe 33 PID 436 wrote to memory of 1680 436 WaterMark.exe 33 PID 436 wrote to memory of 1680 436 WaterMark.exe 33 PID 436 wrote to memory of 1680 436 WaterMark.exe 33 PID 436 wrote to memory of 1680 436 WaterMark.exe 33 PID 436 wrote to memory of 1680 436 WaterMark.exe 33 PID 1680 wrote to memory of 260 1680 svchost.exe 26 PID 1680 wrote to memory of 260 1680 svchost.exe 26 PID 1680 wrote to memory of 260 1680 svchost.exe 26 PID 1680 wrote to memory of 260 1680 svchost.exe 26 PID 1680 wrote to memory of 260 1680 svchost.exe 26 PID 1680 wrote to memory of 332 1680 svchost.exe 25 PID 1680 wrote to memory of 332 1680 svchost.exe 25 PID 1680 wrote to memory of 332 1680 svchost.exe 25 PID 1680 wrote to memory of 332 1680 svchost.exe 25 PID 1680 wrote to memory of 332 1680 svchost.exe 25 PID 1680 wrote to memory of 368 1680 svchost.exe 24 PID 1680 wrote to memory of 368 1680 svchost.exe 24 PID 1680 wrote to memory of 368 1680 svchost.exe 24 PID 1680 wrote to memory of 368 1680 svchost.exe 24 PID 1680 wrote to memory of 368 1680 svchost.exe 24 PID 1680 wrote to memory of 384 1680 svchost.exe 23 PID 1680 wrote to memory of 384 1680 svchost.exe 23 PID 1680 wrote to memory of 384 1680 svchost.exe 23 PID 1680 wrote to memory of 384 1680 svchost.exe 23 PID 1680 wrote to memory of 384 1680 svchost.exe 23 PID 1680 wrote to memory of 420 1680 svchost.exe 3 PID 1680 wrote to memory of 420 1680 svchost.exe 3 PID 1680 wrote to memory of 420 1680 svchost.exe 3 PID 1680 wrote to memory of 420 1680 svchost.exe 3 PID 1680 wrote to memory of 420 1680 svchost.exe 3
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:480
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:656
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:800
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1200
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:276
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1112
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:304
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1016
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1032
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:328
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:864
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:836
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:736
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:576
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:488
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵PID:1976
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:1716
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1248
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 2284⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:368
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f