Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 02:01
Static task
static1
Behavioral task
behavioral1
Sample
a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll
Resource
win10v2004-20220812-en
General
-
Target
a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll
-
Size
180KB
-
MD5
f9a0fd9594d9b8573c53772bc15d11e0
-
SHA1
492c0faad24bcd6ca6a362edd2f21f624d1645bd
-
SHA256
a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8
-
SHA512
4e4a1a064c5518005647891576af1564db473f6d6b7335fcb5386dcb6bc581eadfd0a300129fbb545bbf2f5ed31cfcfd9e42c88b5b8f532b9197b297d3e75d3f
-
SSDEEP
3072:en4cV8gf2u41Z5tKlH7CzACLtRk3OwquXvz7+IGqEJuj:M4y8gOl2xMA2X5uX7VGjJuj
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1032 rundll32Srv.exe 1176 WaterMark.exe -
resource yara_rule behavioral1/files/0x000b00000001231b-56.dat upx behavioral1/files/0x000b00000001231b-57.dat upx behavioral1/files/0x000b00000001231b-59.dat upx behavioral1/memory/1032-62-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/files/0x000b00000001231b-63.dat upx behavioral1/files/0x001b00000001249b-64.dat upx behavioral1/memory/1032-68-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/files/0x001b00000001249b-67.dat upx behavioral1/files/0x001b00000001249b-65.dat upx behavioral1/files/0x001b00000001249b-69.dat upx behavioral1/memory/1176-79-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1176-197-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1788 rundll32.exe 1788 rundll32.exe 1032 rundll32Srv.exe 1032 rundll32Srv.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px758E.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1176 WaterMark.exe 1176 WaterMark.exe 1176 WaterMark.exe 1176 WaterMark.exe 1176 WaterMark.exe 1176 WaterMark.exe 1176 WaterMark.exe 1176 WaterMark.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe 1820 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1176 WaterMark.exe Token: SeDebugPrivilege 1820 svchost.exe Token: SeDebugPrivilege 1176 WaterMark.exe Token: SeDebugPrivilege 680 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 940 wrote to memory of 1788 940 rundll32.exe 28 PID 940 wrote to memory of 1788 940 rundll32.exe 28 PID 940 wrote to memory of 1788 940 rundll32.exe 28 PID 940 wrote to memory of 1788 940 rundll32.exe 28 PID 940 wrote to memory of 1788 940 rundll32.exe 28 PID 940 wrote to memory of 1788 940 rundll32.exe 28 PID 940 wrote to memory of 1788 940 rundll32.exe 28 PID 1788 wrote to memory of 1032 1788 rundll32.exe 29 PID 1788 wrote to memory of 1032 1788 rundll32.exe 29 PID 1788 wrote to memory of 1032 1788 rundll32.exe 29 PID 1788 wrote to memory of 1032 1788 rundll32.exe 29 PID 1032 wrote to memory of 1176 1032 rundll32Srv.exe 30 PID 1032 wrote to memory of 1176 1032 rundll32Srv.exe 30 PID 1032 wrote to memory of 1176 1032 rundll32Srv.exe 30 PID 1032 wrote to memory of 1176 1032 rundll32Srv.exe 30 PID 1176 wrote to memory of 680 1176 WaterMark.exe 31 PID 1176 wrote to memory of 680 1176 WaterMark.exe 31 PID 1176 wrote to memory of 680 1176 WaterMark.exe 31 PID 1176 wrote to memory of 680 1176 WaterMark.exe 31 PID 1176 wrote to memory of 680 1176 WaterMark.exe 31 PID 1176 wrote to memory of 680 1176 WaterMark.exe 31 PID 1176 wrote to memory of 680 1176 WaterMark.exe 31 PID 1176 wrote to memory of 680 1176 WaterMark.exe 31 PID 1176 wrote to memory of 680 1176 WaterMark.exe 31 PID 1176 wrote to memory of 680 1176 WaterMark.exe 31 PID 1176 wrote to memory of 1820 1176 WaterMark.exe 32 PID 1176 wrote to memory of 1820 1176 WaterMark.exe 32 PID 1176 wrote to memory of 1820 1176 WaterMark.exe 32 PID 1176 wrote to memory of 1820 1176 WaterMark.exe 32 PID 1176 wrote to memory of 1820 1176 WaterMark.exe 32 PID 1176 wrote to memory of 1820 1176 WaterMark.exe 32 PID 1176 wrote to memory of 1820 1176 WaterMark.exe 32 PID 1176 wrote to memory of 1820 1176 WaterMark.exe 32 PID 1176 wrote to memory of 1820 1176 WaterMark.exe 32 PID 1176 wrote to memory of 1820 1176 WaterMark.exe 32 PID 1820 wrote to memory of 260 1820 svchost.exe 7 PID 1820 wrote to memory of 260 1820 svchost.exe 7 PID 1820 wrote to memory of 260 1820 svchost.exe 7 PID 1820 wrote to memory of 260 1820 svchost.exe 7 PID 1820 wrote to memory of 260 1820 svchost.exe 7 PID 1820 wrote to memory of 332 1820 svchost.exe 6 PID 1820 wrote to memory of 332 1820 svchost.exe 6 PID 1820 wrote to memory of 332 1820 svchost.exe 6 PID 1820 wrote to memory of 332 1820 svchost.exe 6 PID 1820 wrote to memory of 332 1820 svchost.exe 6 PID 1820 wrote to memory of 368 1820 svchost.exe 5 PID 1820 wrote to memory of 368 1820 svchost.exe 5 PID 1820 wrote to memory of 368 1820 svchost.exe 5 PID 1820 wrote to memory of 368 1820 svchost.exe 5 PID 1820 wrote to memory of 368 1820 svchost.exe 5 PID 1820 wrote to memory of 380 1820 svchost.exe 4 PID 1820 wrote to memory of 380 1820 svchost.exe 4 PID 1820 wrote to memory of 380 1820 svchost.exe 4 PID 1820 wrote to memory of 380 1820 svchost.exe 4 PID 1820 wrote to memory of 380 1820 svchost.exe 4 PID 1820 wrote to memory of 416 1820 svchost.exe 3 PID 1820 wrote to memory of 416 1820 svchost.exe 3 PID 1820 wrote to memory of 416 1820 svchost.exe 3 PID 1820 wrote to memory of 416 1820 svchost.exe 3 PID 1820 wrote to memory of 416 1820 svchost.exe 3 PID 1820 wrote to memory of 464 1820 svchost.exe 2 PID 1820 wrote to memory of 464 1820 svchost.exe 2 PID 1820 wrote to memory of 464 1820 svchost.exe 2 PID 1820 wrote to memory of 464 1820 svchost.exe 2
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:472
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:464
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:752
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:668
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:800
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1304
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:876
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵PID:1704
-
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:1008
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1216
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1036
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:908
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:748
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:108
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:832
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:588
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:416
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:380
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:368
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:480
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵PID:1972
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1376
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a95bd73e6a5d85b0917df4e6ce4c407c6a9b677e9d3da2a998b0de804e91c2c8.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f
-
Filesize
90KB
MD5dba1231fa077c41836df91398093d5a8
SHA19bd1adff712907f1cbff38194e7229af5d9b2938
SHA25610576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a
SHA512ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f