Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 02:23
Static task
static1
Behavioral task
behavioral1
Sample
4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02.dll
Resource
win10v2004-20220812-en
General
-
Target
4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02.dll
-
Size
180KB
-
MD5
b484124d84114eefed6e32e5b97de8a0
-
SHA1
984c28db719cc975ad77f4e431e919b3cc7fc912
-
SHA256
4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02
-
SHA512
438acc48ff2784f164ef49e33e5539fcd6d13b38289cac644f7339b9bf3a0f989e8d472c01fb6078e1b343a1ca90bf85322d4587bdd689aeb5c7e97422b31c88
-
SSDEEP
3072:Kn4cV8gf2u41Z5tKl4xoaePShY+dWvVJQTUsqPa7sn3Dvo:w4y8gOl2dznvUIxa7UDvo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2036 rundll32Srv.exe 1576 WaterMark.exe -
resource yara_rule behavioral1/files/0x0007000000005c50-57.dat upx behavioral1/files/0x0007000000005c50-58.dat upx behavioral1/files/0x0007000000005c50-60.dat upx behavioral1/files/0x0007000000005c50-61.dat upx behavioral1/files/0x000a0000000122cc-62.dat upx behavioral1/files/0x000a0000000122cc-63.dat upx behavioral1/memory/2036-66-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/files/0x000a0000000122cc-65.dat upx behavioral1/memory/1576-67-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/files/0x000a0000000122cc-68.dat upx behavioral1/memory/1576-78-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/1576-192-0x0000000000400000-0x000000000045B000-memory.dmp upx -
Loads dropped DLL 4 IoCs
pid Process 1260 rundll32.exe 1260 rundll32.exe 2036 rundll32Srv.exe 2036 rundll32Srv.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px5BD7.tmp rundll32Srv.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1576 WaterMark.exe 1576 WaterMark.exe 1576 WaterMark.exe 1576 WaterMark.exe 1576 WaterMark.exe 1576 WaterMark.exe 1576 WaterMark.exe 1576 WaterMark.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1576 WaterMark.exe Token: SeDebugPrivilege 1700 svchost.exe Token: SeDebugPrivilege 1576 WaterMark.exe Token: SeDebugPrivilege 1416 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1260 1488 rundll32.exe 27 PID 1488 wrote to memory of 1260 1488 rundll32.exe 27 PID 1488 wrote to memory of 1260 1488 rundll32.exe 27 PID 1488 wrote to memory of 1260 1488 rundll32.exe 27 PID 1488 wrote to memory of 1260 1488 rundll32.exe 27 PID 1488 wrote to memory of 1260 1488 rundll32.exe 27 PID 1488 wrote to memory of 1260 1488 rundll32.exe 27 PID 1260 wrote to memory of 2036 1260 rundll32.exe 28 PID 1260 wrote to memory of 2036 1260 rundll32.exe 28 PID 1260 wrote to memory of 2036 1260 rundll32.exe 28 PID 1260 wrote to memory of 2036 1260 rundll32.exe 28 PID 2036 wrote to memory of 1576 2036 rundll32Srv.exe 29 PID 2036 wrote to memory of 1576 2036 rundll32Srv.exe 29 PID 2036 wrote to memory of 1576 2036 rundll32Srv.exe 29 PID 2036 wrote to memory of 1576 2036 rundll32Srv.exe 29 PID 1576 wrote to memory of 1416 1576 WaterMark.exe 30 PID 1576 wrote to memory of 1416 1576 WaterMark.exe 30 PID 1576 wrote to memory of 1416 1576 WaterMark.exe 30 PID 1576 wrote to memory of 1416 1576 WaterMark.exe 30 PID 1576 wrote to memory of 1416 1576 WaterMark.exe 30 PID 1576 wrote to memory of 1416 1576 WaterMark.exe 30 PID 1576 wrote to memory of 1416 1576 WaterMark.exe 30 PID 1576 wrote to memory of 1416 1576 WaterMark.exe 30 PID 1576 wrote to memory of 1416 1576 WaterMark.exe 30 PID 1576 wrote to memory of 1416 1576 WaterMark.exe 30 PID 1576 wrote to memory of 1700 1576 WaterMark.exe 31 PID 1576 wrote to memory of 1700 1576 WaterMark.exe 31 PID 1576 wrote to memory of 1700 1576 WaterMark.exe 31 PID 1576 wrote to memory of 1700 1576 WaterMark.exe 31 PID 1576 wrote to memory of 1700 1576 WaterMark.exe 31 PID 1576 wrote to memory of 1700 1576 WaterMark.exe 31 PID 1576 wrote to memory of 1700 1576 WaterMark.exe 31 PID 1576 wrote to memory of 1700 1576 WaterMark.exe 31 PID 1576 wrote to memory of 1700 1576 WaterMark.exe 31 PID 1576 wrote to memory of 1700 1576 WaterMark.exe 31 PID 1700 wrote to memory of 260 1700 svchost.exe 7 PID 1700 wrote to memory of 260 1700 svchost.exe 7 PID 1700 wrote to memory of 260 1700 svchost.exe 7 PID 1700 wrote to memory of 260 1700 svchost.exe 7 PID 1700 wrote to memory of 260 1700 svchost.exe 7 PID 1700 wrote to memory of 332 1700 svchost.exe 6 PID 1700 wrote to memory of 332 1700 svchost.exe 6 PID 1700 wrote to memory of 332 1700 svchost.exe 6 PID 1700 wrote to memory of 332 1700 svchost.exe 6 PID 1700 wrote to memory of 332 1700 svchost.exe 6 PID 1700 wrote to memory of 368 1700 svchost.exe 5 PID 1700 wrote to memory of 368 1700 svchost.exe 5 PID 1700 wrote to memory of 368 1700 svchost.exe 5 PID 1700 wrote to memory of 368 1700 svchost.exe 5 PID 1700 wrote to memory of 368 1700 svchost.exe 5 PID 1700 wrote to memory of 376 1700 svchost.exe 4 PID 1700 wrote to memory of 376 1700 svchost.exe 4 PID 1700 wrote to memory of 376 1700 svchost.exe 4 PID 1700 wrote to memory of 376 1700 svchost.exe 4 PID 1700 wrote to memory of 376 1700 svchost.exe 4 PID 1700 wrote to memory of 416 1700 svchost.exe 3 PID 1700 wrote to memory of 416 1700 svchost.exe 3 PID 1700 wrote to memory of 416 1700 svchost.exe 3 PID 1700 wrote to memory of 416 1700 svchost.exe 3 PID 1700 wrote to memory of 416 1700 svchost.exe 3 PID 1700 wrote to memory of 460 1700 svchost.exe 2 PID 1700 wrote to memory of 460 1700 svchost.exe 2 PID 1700 wrote to memory of 460 1700 svchost.exe 2 PID 1700 wrote to memory of 460 1700 svchost.exe 2
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:476
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1028
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1128
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1816
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1228
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:272
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:300
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:868
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:844
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:792
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:744
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:656
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:580
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:416
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:376
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:368
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:484
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1352
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a5da1b9494470a4e3c88894e294104c5437df989456b1209764a5b444652d02.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
-
-
-
-
-
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵PID:2000
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1316
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2
-
Filesize
90KB
MD591b07c6f70654a26ca1cd8cde6fb2a7e
SHA1789629859ed76191432fd7ab40cfa0487b580a6e
SHA25637417b870c644d70c09c773b828dbb451e33d4e74df2f66d9698ae090d240d15
SHA512077b62709e40c66304429acae5cccb953affa59791f2139d0b0e3e8a4610d38aa5dd6a44d9c857220245a9e746fb980a5dd0966d8b2795313ca7b6deeafd1dd2